Analysis
-
max time kernel
150s -
max time network
98s -
platform
windows11-21h2_x64 -
resource
win11-20250502-en -
resource tags
arch:x64arch:x86image:win11-20250502-enlocale:en-usos:windows11-21h2-x64system -
submitted
03/07/2025, 05:26
Static task
static1
Behavioral task
behavioral1
Sample
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Resource
win10v2004-20250610-en
Behavioral task
behavioral2
Sample
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Resource
win11-20250502-en
General
-
Target
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
-
Size
680KB
-
MD5
edbb420ee4efecf2c4e9e1ea625f52fd
-
SHA1
2066bb1097af84a8deb2e41fa5d2b0d06c26f45b
-
SHA256
978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05
-
SHA512
9a11823898e1ec8197572059b9fdfd3a8122440cbef4660785c5a11109356b49dc8d67a11c6b53e480feabc07817fb8c27f27fb146609ed2ff6f48dab74682b1
-
SSDEEP
12288:j6/aWD0arbq2uqf0ZQFAX6XBYoaUYQUpRaKxGhevFkKQXjEw:s3Rrbq2jcQtYQUaKxBFW
Malware Config
Signatures
-
Cosmu family
-
Detects Cosmu payload 1 IoCs
Cosmu is a worm written in C++.
resource yara_rule behavioral2/memory/4428-497-0x0000000000400000-0x0000000000407000-memory.dmp family_cosmu -
Renames multiple (3136) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\PresentationNative_cor3.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\LucidaBrightRegular.ttf.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\lib\packager.jar.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\lib\currency.data.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\lib\ext\jfxrt.jar.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\host\fxr\7.0.16\hostfxr.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\api-ms-win-core-util-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.Quic.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Blue II.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\UIAutomationClient.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Primitives.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\npt.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-00A1-0000-1000-0000000FF1CE.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.common.16.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\Tw Cen MT.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_Trial2-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\System\Ole DB\ja-JP\sqloledb.rll.mui.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.Channels.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Xml.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\UIAutomationProvider.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\Subtle Solids.eftx.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\O365BusinessDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ComponentModel.DataAnnotations.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Reflection.Emit.ILGeneration.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\PresentationCore.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\Locales\uk.pak.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\api-ms-win-core-synch-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\lib\images\cursors\win32_MoveDrop32x32.gif.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusiness2019R_Trial-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\ipschs.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\es\Microsoft.VisualBasic.Forms.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-crt-math-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\splashscreen.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\WindowsFormsIntegration.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\PresentationFramework.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jdk-1.8\bin\api-ms-win-core-interlocked-l1-1-0.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\javaws.exe.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Integration\C2RManifest.DCF.DCF.x-none.msi.16.x-none.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\System\ado\msadrh15.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\System\msadc\fr-FR\msaddsr.dll.mui.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\Microsoft.VisualBasic.Forms.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\ko\System.Windows.Forms.Design.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Google\Chrome\Application\133.0.6943.60\libGLESv2.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\bin\jsoundds.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\AccessRuntimeR_PrepidBypass-ppd.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeStudentR_OEM_Perp-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\7-Zip\History.txt.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ink\fsdefinitions\symbols\symbase.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOLoader.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.Net.NetworkInformation.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.Diagnostics.TextWriterTraceListener.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.15\System.IO.Compression.ZipFile.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\System.Windows.Forms.Design.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\C2R32.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\Microsoft.WindowsDesktop.App.runtimeconfig.json.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\zh-Hant\WindowsFormsIntegration.resources.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\messages_fr.properties.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\PackageManifests\AppXManifest.90160000-3102-0000-1000-0000000FF1CE.xml.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessPipcDemoR_BypassTrial365-ul-oob.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\Microsoft Office\root\Licenses16\MondoR_O16EnterpriseVL_Bypass30-ppd.xrm-ms.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\Microsoft.VisualBasic.Forms.dll.tmp 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"C:\Users\Admin\AppData\Local\Temp\978efc71c66eb2f3a9864bb1273c75d44294a7e530646a84f62763ce104f2c05.exe"1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4428
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
680KB
MD5197e332a5aaf74c3a523bea7c8c7807c
SHA18fa765bfcf0cda6b52c27e073c454c03fae9b097
SHA256c22293c8d27391d6688b6d7b759a2efedd637772da262bbac571b9416ed852fd
SHA51266b1cca2dce9593d97c3eae3ac630c5a4fb81b68649284bcdbc40c60e4041f3f28f007c080c82d1c51a5aaa83b0c3e9b7fb9dc2bc4d940f67b8df663fa12d2b2
-
Filesize
766KB
MD514cb81c6b8b0d42b5f24836d7e06ecce
SHA1fe39087bf49cdb670a12fe4eff3ba86783d6c0fa
SHA2567c2d2556feeea163003032538253a97c4937b142a91653a8be22dbd52e12eada
SHA512fc729921f02e6b4d31498ff85b32e4b05cf647efb68c58dfba0c3cd6bd26c5e1e005ced314acd41cbea4b99dd7f4f85f70b9a99523f52522fb7d4b553e9b8ed5