Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Resource
win11-20250619-en
General
-
Target
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
-
Size
28KB
-
MD5
6ba02c3b1bbd1f3526e98624a714f317
-
SHA1
91d9f99383564c255d50fb326f54232bbe6d9b6c
-
SHA256
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0
-
SHA512
1bc2e6b737a2731cf82a46adddc5786046dafcdc9d24549c729c7d7c03487a048775bdf524918267a78d11b2c69f834fdc985771ba6b513f13eb0fa76b94767c
-
SSDEEP
768:uZ4FLm8Q8Boxn6oxSoxn6ox1YFlLYFlnb9g:uGsx1xtx1xWgn9g
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/5292-797-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5289) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Forms.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\System.Windows.Forms.Primitives.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\UIAutomationTypes.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\legal\javafx\libxslt.md.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_MAK-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_Grace-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\[email protected] d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Runtime.CompilerServices.VisualC.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Pkcs.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\lib\deploy.jar.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.Data.Recommendation.Client.Core.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\LogoImages\WinWordLogo.contrast-white_scale-180.png.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Crashpad\settings.dat.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Algorithms.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Security.Cryptography.Xml.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Windows.Forms.Design.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\System.Windows.Forms.Primitives.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\legal\jdk\asm.md.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Threading.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessR_OEM_Perp-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_SubTrial-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\zlibwapi.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\AssetLibrary.ico.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Threading.Thread.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusEDUR_Subscription-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription4-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019R_PrepidBypass-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\SkypeforBusinessEntry2019R_PrepidBypass-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\StandardMSDNR_Retail-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-heap-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Xaml.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019MSDNR_Retail-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProR_Retail-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\ONENOTE_WHATSNEW.XML.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power View Excel Add-in\Microsoft.PowerBI.AdomdDataExtension.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\mscss7wre_fr.dub.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ro\msipc.dll.mui.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\uk-UA\TipRes.dll.mui.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-crt-environment-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.ComponentModel.EventBasedAsync.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\UIAutomationTypes.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\PresentationCore.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\bin\jfr.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp4-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp5-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\7-Zip\Lang\uz.txt.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-heap-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Security.Cryptography.Encoding.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\System.Windows.Forms.Primitives.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\PowerPivot Excel Add-in\Microsoft.AnalysisServices.Excel.Common.FrontEnd.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\bin\plugin2\vcruntime140.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\lib\security\blacklisted.certs.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_Grace-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_Grace-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial2-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL087.XML.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\REFEDIT.DLL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\Microsoft.CSharp.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\javafx_iio.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5292
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD5ac69af776d05308edac6aee0181109a1
SHA1aff2c3f37ce8ac3d68b71131c0375b2557136ab7
SHA2568b17fd22683ed738bdd8afd9596edee97a0834fa492587bbc247cad1a3c3afcb
SHA512273aab6eb3ba841073f6632146f53dc88f5d83260359a8cbaa6c3811ba0a4f71be3601ad6d9ec86c933af60067aee371b2a2383dec6f239d06fcae99d59e626f
-
Filesize
108KB
MD5a429c0be7ab33a3562878ea3ec3abd16
SHA1d7f782a3439319d2b433ebe6b6631307af16f93b
SHA256aabe390af57d6d924093804dd341e61d2c4301efb4d2b5048f533dcfcbffcb6c
SHA5128bd3a4012cb1f911ecef3458453a60e5062640a88375ae6932c2602e23603924983199914c2ae22d375aac5e62964a65484286232f788a8edf54da403c1f3d87