Analysis

  • max time kernel
    150s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe

  • Size

    680KB

  • MD5

    edbb420ee4efecf2c4e9e1ea625f52fd

  • SHA1

    2066bb1097af84a8deb2e41fa5d2b0d06c26f45b

  • SHA256

    978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05

  • SHA512

    9a11823898e1ec8197572059b9fdfd3a8122440cbef4660785c5a11109356b49dc8d67a11c6b53e480feabc07817fb8c27f27fb146609ed2ff6f48dab74682b1

  • SSDEEP

    12288:j6/aWD0arbq2uqf0ZQFAX6XBYoaUYQUpRaKxGhevFkKQXjEw:s3Rrbq2jcQtYQUaKxBFW

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (2891) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
    "C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:5912

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.tmp

          Filesize

          680KB

          MD5

          faec85ad4e265a5eb7bfcdd967674694

          SHA1

          b7fb5a9cd286e46d42da3ddacd06d8002ca9a33b

          SHA256

          1c925d9d6ffa64349734776585502142c2be1b4df001da47890acb728e0dc316

          SHA512

          21f81fd9e520b53cd5a79b2122647cff7ddf69a6f184960c1faa880d3d004a12608df89489a20e32138b04d3da4ad4701663fcab059625bf2ad629c2d8cfe441

        • C:\e17c3a4b92f97a6f793d\2010_x86.log.html.tmp

          Filesize

          760KB

          MD5

          0e99dba69b5128d1e3ae58b5b6f06e6c

          SHA1

          64932dbab0fe6475824544ca4a240b3f92104072

          SHA256

          ad2513c8a27e51407135d3f5d283d369760f477ad4977a6f81ba91d2b446fd5b

          SHA512

          4120184cbedf589c1f03a5efc2122a6b22f6c74602ac79f5937202aa5053bc48ef06c6fa3c513e798b245535befdf558dab2d28b75ad3a6ef554c054f6b62b29

        • memory/5912-461-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB