Analysis
-
max time kernel
150s -
max time network
135s -
platform
windows10-2004_x64 -
resource
win10v2004-20250610-en -
resource tags
arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Resource
win11-20250502-en
General
-
Target
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
-
Size
680KB
-
MD5
edbb420ee4efecf2c4e9e1ea625f52fd
-
SHA1
2066bb1097af84a8deb2e41fa5d2b0d06c26f45b
-
SHA256
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05
-
SHA512
9a11823898e1ec8197572059b9fdfd3a8122440cbef4660785c5a11109356b49dc8d67a11c6b53e480feabc07817fb8c27f27fb146609ed2ff6f48dab74682b1
-
SSDEEP
12288:j6/aWD0arbq2uqf0ZQFAX6XBYoaUYQUpRaKxGhevFkKQXjEw:s3Rrbq2jcQtYQUaKxBFW
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral1/memory/5912-461-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (2891) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Windows.Forms.Design.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\lib\jconsole.jar.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\Lang\af.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\Lang\fy.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\lv-LV\tipresx.dll.mui.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Private.Xml.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\de\PresentationFramework.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-xstate-l2-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_OEM_Perp-ppd.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\Lang\nn.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\Lang\pl.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Claims.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Linq.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\System.Xaml.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Windows.Forms.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\messages_es.properties.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Client\api-ms-win-core-processthreads-l1-1-1.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvStreamingManager.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.UnmanagedMemoryStream.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.FileSystem.Watcher.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\WindowsFormsIntegration.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\bin\jli.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\[email protected] 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_de.properties.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Grace-ppd.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\System.Xaml.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\System.Security.Permissions.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-sysinfo-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\relaxngcc.md.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\api-ms-win-core-memory-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\ExcelR_Retail-pl.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\IpsMigrationPlugin.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Xml.XDocument.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\PresentationCore.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\VisualElements\LogoDev.png.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\WindowsAccessBridge-64.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\legal\jdk\joni.md.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\xerces.md.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\Lang\tg.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\fr-FR\InkObj.dll.mui.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\UIAutomationClientSideProviders.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\bin\schemagen.exe.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\unicode.md.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\awt.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\fre\StartMenu_Win10.mp4.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Trial-pl.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.FileSystem.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ja\PresentationCore.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\ReachFramework.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\fa.pak.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-processenvironment-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\Excel2019R_Retail-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Resources.ResourceManager.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\mscordbi.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\jvm.cfg.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVIsvVirtualization.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Net.NameResolution.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.OpenSsl.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Resources.Reader.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\Microsoft.CSharp.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\PresentationUI.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\gu.pak.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5912
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5faec85ad4e265a5eb7bfcdd967674694
SHA1b7fb5a9cd286e46d42da3ddacd06d8002ca9a33b
SHA2561c925d9d6ffa64349734776585502142c2be1b4df001da47890acb728e0dc316
SHA51221f81fd9e520b53cd5a79b2122647cff7ddf69a6f184960c1faa880d3d004a12608df89489a20e32138b04d3da4ad4701663fcab059625bf2ad629c2d8cfe441
-
Filesize
760KB
MD50e99dba69b5128d1e3ae58b5b6f06e6c
SHA164932dbab0fe6475824544ca4a240b3f92104072
SHA256ad2513c8a27e51407135d3f5d283d369760f477ad4977a6f81ba91d2b446fd5b
SHA5124120184cbedf589c1f03a5efc2122a6b22f6c74602ac79f5937202aa5053bc48ef06c6fa3c513e798b245535befdf558dab2d28b75ad3a6ef554c054f6b62b29