Analysis Report cosmic.exe

Overview

General Information

Sample Name: cosmic.exe
Analysis ID: 384269
MD5: 2369d06b31cff81c84e889cb4fbca7b4
SHA1: bd606a3ca19a5faf32a4e5ed7dd260411d6cae7a
SHA256: ab88a3ed9f8763297791571f9738decb06d122e5402dd5168708586f9390b48f
Infos:

Most interesting Screenshot:

Detection

GuLoader
Score: 72
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Yara detected GuLoader
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Found potential dummy code loops (likely to delay analysis)
Machine Learning detection for sample
Tries to detect virtualization through RDTSC time measurements
Abnormal high CPU Usage
Contains functionality for execution timing, often used to detect debuggers
Creates a DirectInput object (often for capturing keystrokes)
PE file contains an invalid checksum
PE file contains strange resources
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: cosmic.exe Virustotal: Detection: 44% Perma Link
Source: cosmic.exe ReversingLabs: Detection: 72%
Machine Learning detection for sample
Source: cosmic.exe Joe Sandbox ML: detected

Compliance:

barindex
Uses 32bit PE files
Source: cosmic.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)
Source: cosmic.exe, 00000000.00000002.717349068.00000000006FA000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

System Summary:

barindex
Abnormal high CPU Usage
Source: C:\Users\user\Desktop\cosmic.exe Process Stats: CPU usage > 98%
PE file contains strange resources
Source: cosmic.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: cosmic.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: cosmic.exe, 00000000.00000002.717806368.0000000002240000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs cosmic.exe
Uses 32bit PE files
Source: cosmic.exe Static PE information: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, RELOCS_STRIPPED
Source: classification engine Classification label: mal72.troj.evad.winEXE@1/0@0/0
Source: C:\Users\user\Desktop\cosmic.exe File created: C:\Users\user\AppData\Local\Temp\~DF14F05F567A5D0232.TMP Jump to behavior
Source: cosmic.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\cosmic.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Users\user\Desktop\cosmic.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: cosmic.exe Virustotal: Detection: 44%
Source: cosmic.exe ReversingLabs: Detection: 72%

Data Obfuscation:

barindex
Yara detected GuLoader
Source: Yara match File source: 00000000.00000002.717158398.00000000004F0000.00000040.00000001.sdmp, type: MEMORY
PE file contains an invalid checksum
Source: cosmic.exe Static PE information: real checksum: 0x1c69d should be: 0x1ecf4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_0040412F push eax; iretd 0_2_0040413D
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_0040BDC2 push 7600FFCEh; iretd 0_2_0040BDC7
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_004065EE push ebx; ret 0_2_004065F5
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_004035F7 push cs; retf 0_2_00403636
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_00406649 push ebx; ret 0_2_004065F5
Source: C:\Users\user\Desktop\cosmic.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Detected RDTSC dummy instruction sequence (likely for instruction hammering)
Source: C:\Users\user\Desktop\cosmic.exe RDTSC instruction interceptor: First address: 00000000004F36BC second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F3BD07FFE63h 0x0000000f cmp cx, FCDBh 0x00000014 cmp cx, ax 0x00000017 xor edi, edi 0x00000019 cmp dl, cl 0x0000001b mov ecx, 00A95F60h 0x00000020 test ch, dh 0x00000022 cmp ebx, FD3F3D34h 0x00000028 push ecx 0x00000029 test ebx, eax 0x0000002b test cl, al 0x0000002d call 00007F3BD07FFFE6h 0x00000032 call 00007F3BD07FFFC8h 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
Tries to detect virtualization through RDTSC time measurements
Source: C:\Users\user\Desktop\cosmic.exe RDTSC instruction interceptor: First address: 00000000004F36BC second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 mov eax, 00000001h 0x00000007 cpuid 0x00000009 popad 0x0000000a call 00007F3BD07FFE63h 0x0000000f cmp cx, FCDBh 0x00000014 cmp cx, ax 0x00000017 xor edi, edi 0x00000019 cmp dl, cl 0x0000001b mov ecx, 00A95F60h 0x00000020 test ch, dh 0x00000022 cmp ebx, FD3F3D34h 0x00000028 push ecx 0x00000029 test ebx, eax 0x0000002b test cl, al 0x0000002d call 00007F3BD07FFFE6h 0x00000032 call 00007F3BD07FFFC8h 0x00000037 lfence 0x0000003a mov edx, dword ptr [7FFE0014h] 0x00000040 lfence 0x00000043 ret 0x00000044 mov esi, edx 0x00000046 pushad 0x00000047 rdtsc
Source: C:\Users\user\Desktop\cosmic.exe RDTSC instruction interceptor: First address: 00000000004F3615 second address: 00000000004F3615 instructions: 0x00000000 rdtsc 0x00000002 xor eax, eax 0x00000004 inc eax 0x00000005 cpuid 0x00000007 popad 0x00000008 call 00007F3BD0ABFE48h 0x0000000d lfence 0x00000010 mov edx, dword ptr [7FFE0014h] 0x00000016 lfence 0x00000019 ret 0x0000001a sub edx, esi 0x0000001c ret 0x0000001d pop ecx 0x0000001e jmp 00007F3BD0ABFE3Ah 0x00000020 cmp ah, ah 0x00000022 add edi, edx 0x00000024 dec ecx 0x00000025 cmp ecx, 00000000h 0x00000028 jne 00007F3BD0ABFDEBh 0x0000002a test ch, dh 0x0000002c cmp ebx, FD3F3D34h 0x00000032 push ecx 0x00000033 test ebx, eax 0x00000035 test cl, al 0x00000037 call 00007F3BD0ABFE76h 0x0000003c call 00007F3BD0ABFE58h 0x00000041 lfence 0x00000044 mov edx, dword ptr [7FFE0014h] 0x0000004a lfence 0x0000004d ret 0x0000004e mov esi, edx 0x00000050 pushad 0x00000051 rdtsc
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_00409255 rdtsc 0_2_00409255
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Anti Debugging:

barindex
Found potential dummy code loops (likely to delay analysis)
Source: C:\Users\user\Desktop\cosmic.exe Process Stats: CPU usage > 90% for more than 60s
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\Desktop\cosmic.exe Code function: 0_2_00409255 rdtsc 0_2_00409255
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progman
Source: cosmic.exe, 00000000.00000002.717553804.0000000000C80000.00000002.00000001.sdmp Binary or memory string: Progmanlock
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 384269 Sample: cosmic.exe Startdate: 08/04/2021 Architecture: WINDOWS Score: 72 8 Multi AV Scanner detection for submitted file 2->8 10 Yara detected GuLoader 2->10 12 Machine Learning detection for sample 2->12 5 cosmic.exe 1 2->5         started        process3 signatures4 14 Detected RDTSC dummy instruction sequence (likely for instruction hammering) 5->14 16 Found potential dummy code loops (likely to delay analysis) 5->16 18 Tries to detect virtualization through RDTSC time measurements 5->18
No contacted IP infos