Analysis

  • max time kernel
    150s
  • max time network
    98s
  • platform
    windows11-21h2_x64
  • resource
    win11-20250502-en
  • resource tags

    arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    03/07/2025, 05:26

General

  • Target

    978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe

  • Size

    680KB

  • MD5

    edbb420ee4efecf2c4e9e1ea625f52fd

  • SHA1

    2066bb1097af84a8deb2e41fa5d2b0d06c26f45b

  • SHA256

    978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05

  • SHA512

    9a11823898e1ec8197572059b9fdfd3a8122440cbef4660785c5a11109356b49dc8d67a11c6b53e480feabc07817fb8c27f27fb146609ed2ff6f48dab74682b1

  • SSDEEP

    12288:j6/aWD0arbq2uqf0ZQFAX6XBYoaUYQUpRaKxGhevFkKQXjEw:s3Rrbq2jcQtYQUaKxBFW

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (3136) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

Processes

  • C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
    "C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"
    1⤵
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    PID:4428

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3518521428-3897247806-4080064211-1000\desktop.ini.tmp

          Filesize

          680KB

          MD5

          197e332a5aaf74c3a523bea7c8c7807c

          SHA1

          8fa765bfcf0cda6b52c27e073c454c03fae9b097

          SHA256

          c22293c8d27391d6688b6d7b759a2efedd637772da262bbac571b9416ed852fd

          SHA512

          66b1cca2dce9593d97c3eae3ac630c5a4fb81b68649284bcdbc40c60e4041f3f28f007c080c82d1c51a5aaa83b0c3e9b7fb9dc2bc4d940f67b8df663fa12d2b2

        • C:\ef24ccacc0fb7a1128713900cef14716\2010_x64.log.html.tmp

          Filesize

          766KB

          MD5

          14cb81c6b8b0d42b5f24836d7e06ecce

          SHA1

          fe39087bf49cdb670a12fe4eff3ba86783d6c0fa

          SHA256

          7c2d2556feeea163003032538253a97c4937b142a91653a8be22dbd52e12eada

          SHA512

          fc729921f02e6b4d31498ff85b32e4b05cf647efb68c58dfba0c3cd6bd26c5e1e005ced314acd41cbea4b99dd7f4f85f70b9a99523f52522fb7d4b553e9b8ed5

        • memory/4428-497-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB