Analysis

  • max time kernel
    150s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/07/2025, 05:27

General

  • Target

    e7d974fb9c76f1a4afdb7c266f27b9227aeaba8809932f833a47f1f2b6fc5361.exe

  • Size

    77KB

  • MD5

    028f0b28c785e5ee6d7ecaa15e157e8e

  • SHA1

    bafea4ff563277e94c5eb292706c4e2a31227cad

  • SHA256

    e7d974fb9c76f1a4afdb7c266f27b9227aeaba8809932f833a47f1f2b6fc5361

  • SHA512

    9bef42b88697b27e110a119a57c8a05c3ea574e70b18fed20d3013d3a9c7c98c0a513a1e93561fe82ec8e567ac75f74a36a17322b2e78bb5d1e148d75f73990b

  • SSDEEP

    768:uZ4FLm8Q8Boxn6oxSoxn6ox1YFlLYFlkE2lGZD4TzvPYNWw1Asvvzzv6t0+3eQKK:uGsx1xtx1xWg/+I8K/XCKCGSqzVw

Malware Config

Signatures

  • Cosmu

    Cosmu is a Windows worm written in C++.

  • Cosmu family
  • Detects Cosmu payload 1 IoCs

    Cosmu is a worm written in C++.

  • Renames multiple (5220) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Program Files directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e7d974fb9c76f1a4afdb7c266f27b9227aeaba8809932f833a47f1f2b6fc5361.exe
    "C:\Users\Admin\AppData\Local\Temp\e7d974fb9c76f1a4afdb7c266f27b9227aeaba8809932f833a47f1f2b6fc5361.exe"
    1⤵
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3352
    • C:\Users\Admin\AppData\Local\Temp\_createdump.exe
      "_createdump.exe"
      2⤵
      • Executes dropped EXE
      PID:4060
    • C:\Windows\SysWOW64\Zombie.exe
      "C:\Windows\system32\Zombie.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4444

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\$Recycle.Bin\S-1-5-21-3001560346-2020497773-4190896137-1000\desktop.ini.exe

          Filesize

          21KB

          MD5

          6cf8daa1802afe093cfe70c1488ff7ca

          SHA1

          3ac3a814fc3a32282666c921f3e0202cfa19939b

          SHA256

          15bc67893d18046731d4377d8b6f4d7cea86f5e1d88137526d2d915f94f04ec4

          SHA512

          1b66f27fdc053cf1c8f2d574bdb3c576c4664a157419810f786a4a6a01c165f3e745492c7f8646d8a84c8a47bf3a17e1fddaa79096165558687a2e876899c382

        • C:\Users\Admin\AppData\Local\Temp\_createdump.exe

          Filesize

          56KB

          MD5

          a05b36f6129223951282f9df776761b1

          SHA1

          ec87fa41a670cffa5d77f64366fe109278661f2c

          SHA256

          5113e7ae92f3a7aebc7f8e363209866d4d743b06a26c67e0886979a56fd3a10d

          SHA512

          38b588b28057994305a3abc37d98770ab7ff905cba6da35e91b2936b99823955fc91b90a23174d53337dd62e320b9bac066b76734bf657de9fad6d37071c70da

        • C:\Windows\SysWOW64\Zombie.exe

          Filesize

          20KB

          MD5

          0b56482e76bc589939b1556b4b3cd020

          SHA1

          aeda9a8d275a57cc74ada41988ae1b12400a4205

          SHA256

          433ba76b16991acad4c04c4b90b84660454cbd26892de5fc93fa9c379c2559c7

          SHA512

          2321d5960b8c7cbf94a2c6eee44fab50cd582030b337aa1528f11444237e9680228c62a64e7237551323e046f21df460f86ae86da82ff54ad8fe93469eccafd9

        • memory/3352-23-0x0000000000400000-0x0000000000407000-memory.dmp

          Filesize

          28KB