Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Resource
win11-20250619-en
General
-
Target
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
-
Size
28KB
-
MD5
6ba02c3b1bbd1f3526e98624a714f317
-
SHA1
91d9f99383564c255d50fb326f54232bbe6d9b6c
-
SHA256
d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0
-
SHA512
1bc2e6b737a2731cf82a46adddc5786046dafcdc9d24549c729c7d7c03487a048775bdf524918267a78d11b2c69f834fdc985771ba6b513f13eb0fa76b94767c
-
SSDEEP
768:uZ4FLm8Q8Boxn6oxSoxn6ox1YFlLYFlnb9g:uGsx1xtx1xWgn9g
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral2/memory/1696-1221-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (5365) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019VL_MAK_AE-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\System.Windows.Controls.Ribbon.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevated_tracing_service.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jmc.txt.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-file-l1-2-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Integration\SPPRedist.msi.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioStdO365R_SubTrial-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ja\msipc.dll.mui.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\ReachFramework.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\System.Windows.Forms.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\management\jmxremote.access.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioPro2019R_Retail-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\VisioProO365R_SubTest-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\cacerts.pem.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\System.Windows.Forms.Primitives.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\jstack.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\DATATRANSFORMERWRAPPER.DLL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL115.XML.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\UIAutomationClientSideProviders.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\it\PresentationFramework.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\psfontj2d.properties.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-crt-conio-l1-1-0.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\PowerPoint2019VL_MAK_AE-ul-oob.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\MSSOAPR3.DLL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Tasks.Parallel.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\jcup.md.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Glossy.eftx.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-pl.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Sort\YEAR.XSL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\ARIALNBI.TTF.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2RINTL.hu-hu.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.FileSystem.Watcher.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Xaml.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_Trial-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\System\ado\adovbs.inc.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Pipes.AccessControl.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\System.Windows.Controls.Ribbon.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\System.Windows.Forms.Primitives.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\ms.pak.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_ko.properties.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Standard2019VL_MAK_AE-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\rtscom.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Text.Json.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.NETCore.App.deps.json.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProjectPro2019XC2RVL_MAKC2R-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ProPlusR_OEM_Perp-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\SkypeSrv\SKYPESERVER.EXE.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Common Files\microsoft shared\ink\tpcps.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\tr\Microsoft.VisualBasic.Forms.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Java\jdk-1.8\bin\jhat.exe.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentVNextR_Grace-ppd.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\LivePersonaCard\images\default\linkedin_ghost_profile.png.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\msix.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\System.Windows.Input.Manipulations.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\WindowsFormsIntegration.resources.dll.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifestLoc.16.en-us.xml.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Access2019R_Retail-ul-phn.xrm-ms.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\SkypeForBusinessBasic2019_eula.txt.tmp d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"C:\Users\Admin\AppData\Local\Temp\d1583f19bce89b61829f036bb1856cbc8eb5a912bb6e2672e6d9806edba192b0.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:1696
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
28KB
MD501c333214b5802f9008927499c7e6836
SHA1dcb4f93c13c8fc92f91cde393d4e2c158eefb417
SHA256593cf325efd7e3ca87689483827004fee83ee0583d7f05887d4499dc0017bccd
SHA51290e014fd4b340965e254348e868db37d42a286fb57f853b24c36467dbecd8c51b83fceb5a8b7e2354040db8047fcf01722c6d338a8a301a29232863d3b642e5e
-
Filesize
109KB
MD5dae54d509b548e5e7d31c2f361c0dc2a
SHA1e7e2b910e572c61b2032c5865c256ba2b10e11be
SHA256e6faeff46b1dec0a7e9d3a414df9c637b241e472836931dab979cb1670a4cc40
SHA51238c8c32d81b16202e3a138d5554c99c11beaf7c22ce7108a789a1645b749eada69aa2a31fdb8f988380cc73efaa0d831b239bcac9095776d40b59e7683e669a5