Windows
Analysis Report
SophosZap(1).exe
Overview
General Information
Detection
Score: | 2 |
Range: | 0 - 100 |
Confidence: | 80% |
Signatures
Classification
- System is w11x64_office
SophosZap(1).exe (PID: 3164 cmdline:
"C:\Users\ user\Deskt op\SophosZ ap(1).exe" MD5: E8EC1B452253493FEE6C02EA1BC8773D) conhost.exe (PID: 1012 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 9698384842DA735D80D278A427A229AB)
- cleanup
Click to jump to signature section
There are no malicious signatures, click here to show all signatures.
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: | ||
Source: | String found in binary or memory: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: | ||
Source: | Binary or memory string: |
Source: | Static PE information: |
Source: | Classification label: |
Source: | Static PE information: |
Source: | Key opened: | Jump to behavior |
Source: | Process created: | ||
Source: | Process created: |
Source: | Section loaded: | Jump to behavior |
Source: | Static PE information: |
Source: | Static file information: |
Source: | Static PE information: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: | ||
Source: | Binary string: |
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: | ||
Source: | Static PE information: |
Source: | Static PE information: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Source: | Last function: | ||
Source: | Last function: |
Source: | Thread injection, dropped files, key value created, disk infection and DNS query: |
Reconnaissance | Resource Development | Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Gather Victim Identity Information | Acquire Infrastructure | Valid Accounts | Windows Management Instrumentation | 1 DLL Side-Loading | 1 Process Injection | 1 Process Injection | OS Credential Dumping | 1 System Information Discovery | Remote Services | Data from Local System | Data Obfuscation | Exfiltration Over Other Network Medium | Abuse Accessibility Features |
Credentials | Domains | Default Accounts | Scheduled Task/Job | Boot or Logon Initialization Scripts | 1 DLL Side-Loading | 1 DLL Side-Loading | LSASS Memory | Application Window Discovery | Remote Desktop Protocol | Data from Removable Media | Junk Data | Exfiltration Over Bluetooth | Network Denial of Service |
This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Source | Detection | Scanner | Label | Link |
---|---|---|---|---|
0% | Virustotal | Browse | ||
0% | ReversingLabs |
Joe Sandbox version: | 42.0.0 Malachite |
Analysis ID: | 1671067 |
Start date and time: | 2025-04-22 15:32:11 +02:00 |
Joe Sandbox product: | CloudBasic |
Overall analysis duration: | 0h 3m 59s |
Hypervisor based Inspection enabled: | false |
Report type: | full |
Cookbook file name: | defaultwindowsinteractivecookbook.jbs |
Analysis system description: | Windows 11 23H2 with Office Professional Plus 2021, Chrome 131, Firefox 133, Adobe Reader DC 24, Java 8 Update 431, 7zip 24.09 |
Run name: | Potential for more IOCs and behavior |
Number of analysed new started processes analysed: | 14 |
Number of new started drivers analysed: | 0 |
Number of existing processes analysed: | 0 |
Number of existing drivers analysed: | 0 |
Number of injected processes analysed: | 0 |
Technologies: |
|
Analysis Mode: | default |
Analysis stop reason: | Timeout |
Sample name: | SophosZap(1).exe |
Detection: | CLEAN |
Classification: | clean2.winEXE@2/1@0/0 |
Cookbook Comments: |
|
- Exclude process from analysis
(whitelisted): dllhost.exe, Sy stemSettingsBroker.exe, SIHCli ent.exe, appidcertstorecheck.e xe, conhost.exe, WmiPrvSE.exe, svchost.exe - Excluded IPs from analysis (wh
itelisted): 104.18.38.233, 172 .64.149.23, 172.202.163.200 - Excluded domains from analysis
(whitelisted): crt.comodoca.c om.cdn.cloudflare.net, slscr.u pdate.microsoft.com, fe3cr.del ivery.mp.microsoft.com, crt.co modoca.com - Not all processes where analyz
ed, report is missing behavior information
Process: | C:\Users\user\Desktop\SophosZap(1).exe |
File Type: | |
Category: | dropped |
Size (bytes): | 264 |
Entropy (8bit): | 4.956898676378702 |
Encrypted: | false |
SSDEEP: | 6:nNWYYFwBREB7kJlXz+PXthNTa1rTFAyIB5U7kJl/GoWxI1+jxymaDN:njoW1cZa1f6yE1/GoSx2N |
MD5: | 7C444E2CC5B14205C210EBD963EA82C1 |
SHA1: | 47D0D43F3657E2D3202A902A91F204C99D847D45 |
SHA-256: | 50828E50CC9CF4CA51E67ACAC5EB0818F88B4F7C797F795704F38E746478F8C4 |
SHA-512: | B373E10756B56909E8B8A320984B495A288C6AEEA673482285B0BF0E6410FDEEDB79D37370C1758D2E388C4E77FDCAE03C310298F0E1883645FEB88FAF653AAD |
Malicious: | false |
Reputation: | low |
Preview: |
File type: | |
Entropy (8bit): | 6.594512185963858 |
TrID: |
|
File name: | SophosZap(1).exe |
File size: | 3'543'408 bytes |
MD5: | e8ec1b452253493fee6c02ea1bc8773d |
SHA1: | 059fc237a015cbe1dc644662b500d774cf31f70a |
SHA256: | 55e9754b2cb493134277fc14616e50786e02bc76d32e89d62ff1bb57a88348ae |
SHA512: | a779792a7760511814c4ac19e852830b9ff7651864a57df618804ecd3da615e041a634dc610327c29dbabcde6decbae16a2bd3f0f1f84a18a1082ee6dbd10599 |
SSDEEP: | 49152:6gK/blXzSyrnuguDiOt84bTDx5OsvXUSnncWZ5GALSeZG0zKk4ioS3P1qyv:6gKTFzSencDiOS+TNESBZG31ioS3F |
TLSH: | 4CF58D21ABDD407AE1F6D2749E758B22A17FBC24077086CF33C4072E8D656D19E76B22 |
File Content Preview: | MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......9;..}Z..}Z..}Z..6"..pZ..6"...Z..6"..kZ...$..lZ...$..jZ..6"..tZ..}Z...Z...$...Z..d%..]Z..d%..|Z..}Zq.|Z..d%..|Z..Rich}Z......... |
Icon Hash: | 90969696969696a8 |
Entrypoint: | 0x416390 |
Entrypoint Section: | .text |
Digitally signed: | true |
Imagebase: | 0x400000 |
Subsystem: | windows cui |
Image File Characteristics: | EXECUTABLE_IMAGE, 32BIT_MACHINE |
DLL Characteristics: | DYNAMIC_BASE, NX_COMPAT, GUARD_CF, TERMINAL_SERVER_AWARE |
Time Stamp: | 0x6661BE28 [Thu Jun 6 13:48:24 2024 UTC] |
TLS Callbacks: | |
CLR (.Net) Version: | |
OS Version Major: | 6 |
OS Version Minor: | 1 |
File Version Major: | 6 |
File Version Minor: | 1 |
Subsystem Version Major: | 6 |
Subsystem Version Minor: | 1 |
Import Hash: | 8256a3557562955829bd8f0eaf5db47d |
Signature Valid: | true |
Signature Issuer: | CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1, O="DigiCert, Inc.", C=US |
Signature Validation Error: | The operation completed successfully |
Error Number: | 0 |
Not Before, Not After |
|
Subject Chain |
|
Version: | 3 |
Thumbprint MD5: | 0D88E09CEEF82C1718C347DEF0940593 |
Thumbprint SHA-1: | 5628368784201C9B23D2838F7E4A68D8A101AADB |
Thumbprint SHA-256: | 5FE57E24D3E2FECAC0F62C4B9D484FF13B76FEF362AFE51505ACF9B896C4DE0A |
Serial: | 09CA6A31D555EEE418532F4AE4AC38CB |
Instruction |
---|
call 00007F2414D3B2FEh |
jmp 00007F2414D3A5ADh |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
call 00007F2414D3A767h |
push 00000000h |
call 00007F2414D3A9F8h |
pop ecx |
test al, al |
je 00007F2414D3A750h |
push 00416450h |
call 00007F2414D3AB76h |
pop ecx |
xor eax, eax |
ret |
push 00000007h |
call 00007F2414D3B386h |
int3 |
push esi |
push edi |
push 00000FA0h |
push 004489B0h |
call dword ptr [00435108h] |
push 00436970h |
call dword ptr [00435018h] |
mov esi, eax |
test esi, esi |
jne 00007F2414D3A753h |
push 004366F8h |
call dword ptr [00435018h] |
mov esi, eax |
test esi, esi |
je 00007F2414D3A788h |
push 004369B4h |
push esi |
call dword ptr [00435014h] |
push 004369D0h |
push esi |
mov edi, eax |
call dword ptr [00435014h] |
test edi, edi |
je 00007F2414D3A754h |
test eax, eax |
je 00007F2414D3A750h |
mov dword ptr [004489C8h], edi |
mov dword ptr [004489CCh], eax |
pop edi |
pop esi |
ret |
xor eax, eax |
push eax |
push eax |
push 00000001h |
push eax |
call dword ptr [00435050h] |
mov dword ptr [004489ACh], eax |
test eax, eax |
jne 00007F2414D3A729h |
push 00000007h |
call 00007F2414D3B304h |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
int3 |
push 004489B0h |
call dword ptr [000000ECh] |
Name | Virtual Address | Virtual Size | Is in Section |
---|---|---|---|
IMAGE_DIRECTORY_ENTRY_EXPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IMPORT | 0x45cd8 | 0x28 | .rdata |
IMAGE_DIRECTORY_ENTRY_RESOURCE | 0x4b000 | 0x315268 | .rsrc |
IMAGE_DIRECTORY_ENTRY_EXCEPTION | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_SECURITY | 0x35e800 | 0x2970 | |
IMAGE_DIRECTORY_ENTRY_BASERELOC | 0x361000 | 0x2be4 | .reloc |
IMAGE_DIRECTORY_ENTRY_DEBUG | 0x41d50 | 0x54 | .rdata |
IMAGE_DIRECTORY_ENTRY_COPYRIGHT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_GLOBALPTR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_TLS | 0x41dc0 | 0x18 | .rdata |
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG | 0x369f0 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_IAT | 0x35000 | 0x1d0 | .rdata |
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT | 0x45c18 | 0x40 | .rdata |
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR | 0x0 | 0x0 | |
IMAGE_DIRECTORY_ENTRY_RESERVED | 0x0 | 0x0 |
Name | Virtual Address | Virtual Size | Raw Size | MD5 | Xored PE | ZLIB Complexity | File Type | Entropy | Characteristics |
---|---|---|---|---|---|---|---|---|---|
.text | 0x1000 | 0x3323a | 0x33400 | 80b8ec48e847d0ea44477bbaaa1c0da5 | False | 0.5365901295731708 | data | 6.618901508353795 | IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ |
.rdata | 0x35000 | 0x11760 | 0x11800 | 08aa760e24af636be8fa21a7dd25a114 | False | 0.5008370535714286 | data | 5.452909659481047 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.data | 0x47000 | 0x29b0 | 0x1600 | 0db8ccbe1316d76a85de7b4ca4931d5a | False | 0.19691051136363635 | DOS executable (block device driver \277DN) | 3.744744808704506 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.didat | 0x4a000 | 0x14 | 0x200 | 9cb84a29f1cbb209fe24f716f24b11dd | False | 0.044921875 | data | 0.21310128450968063 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE |
.rsrc | 0x4b000 | 0x315268 | 0x315400 | d8394474a18fc8dc1a79b5d713bad86c | unknown | unknown | unknown | unknown | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ |
.reloc | 0x361000 | 0x2be4 | 0x2c00 | 01c95bca5a50469ae68ca8801293bdcb | False | 0.7395241477272727 | GLS_BINARY_LSB_FIRST | 6.601333916301838 | IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ |
Name | RVA | Size | Type | Language | Country | ZLIB Complexity |
---|---|---|---|---|---|---|
RT_RCDATA | 0x4b148 | 0xef368 | PE32 executable (console) Intel 80386, for MS Windows | 0.44047351747675073 | ||
RT_RCDATA | 0x13a4b0 | 0x110368 | PE32+ executable (console) x86-64, for MS Windows | 0.4464244842529297 | ||
RT_RCDATA | 0x24a818 | 0x115568 | PE32+ executable (console) Aarch64, for MS Windows | 0.4079904556274414 | ||
RT_VERSION | 0x35fd80 | 0x360 | data | English | United States | 0.46064814814814814 |
RT_MANIFEST | 0x3600e0 | 0x188 | XML 1.0 document, ASCII text, with CRLF line terminators | English | United States | 0.5892857142857143 |
DLL | Import |
---|---|
KERNEL32.dll | FindResourceW, GetExitCodeProcess, MultiByteToWideChar, WideCharToMultiByte, GetNativeSystemInfo, GetProcAddress, GetModuleHandleW, ReadFile, GetStdHandle, TerminateProcess, WaitForSingleObject, OpenProcess, CreateProcessW, FindClose, CloseHandle, LocalFree, FindFirstFileExW, FindNextFileW, FreeEnvironmentStringsW, FreeLibrary, CreateEventW, FormatMessageW, LoadLibraryExW, OutputDebugStringA, GetCurrentProcessId, LoadLibraryExA, SetEnvironmentVariableW, SetSearchPathMode, HeapSetInformation, GetProcessHeap, SetDllDirectoryW, LockResource, GetLastError, DuplicateHandle, GetSystemDirectoryW, LoadResource, RaiseException, GetSystemInfo, VirtualProtect, VirtualQuery, FormatMessageA, GetLocaleInfoEx, CreateDirectoryW, FindFirstFileW, GetFileAttributesW, GetFileAttributesExW, SetFileInformationByHandle, GetTempPathW, AreFileApisANSI, GetFileInformationByHandleEx, GetStringTypeW, InitializeSRWLock, ReleaseSRWLockExclusive, AcquireSRWLockExclusive, TryAcquireSRWLockExclusive, GetCurrentThreadId, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSectionEx, DeleteCriticalSection, EncodePointer, DecodePointer, LCMapStringEx, CreateFileW, GetSystemTimeAsFileTime, GetCPInfo, InitializeCriticalSectionAndSpinCount, SetEvent, ResetEvent, WaitForSingleObjectEx, IsProcessorFeaturePresent, UnhandledExceptionFilter, SetUnhandledExceptionFilter, InitializeSListHead, IsDebuggerPresent, GetStartupInfoW, RtlUnwind, SetLastError, TlsAlloc, TlsGetValue, TlsSetValue, TlsFree, GetModuleFileNameW, ExitProcess, GetModuleHandleExW, GetCommandLineA, GetCommandLineW, HeapFree, HeapAlloc, GetFileType, SetStdHandle, CompareStringW, LCMapStringW, GetLocaleInfoW, IsValidLocale, GetUserDefaultLCID, EnumSystemLocalesW, FlushFileBuffers, GetConsoleOutputCP, GetConsoleMode, GetFileSizeEx, SetFilePointerEx, ReadConsoleW, HeapReAlloc, IsValidCodePage, GetACP, GetOEMCP, GetEnvironmentStringsW, HeapSize, WriteConsoleW, ReOpenFile, WriteFile, GetCurrentProcess, QueryPerformanceCounter, SizeofResource |
Description | Data |
---|---|
Comments | b3591af05249338cb9d2211b0aa8a74d43ff3d8c |
CompanyName | Sophos Limited |
FileDescription | SophosZap |
FileVersion | 1.8.60.0 |
InternalName | SophosZap |
LegalCopyright | Copyright 1989-2024 Sophos Limited. All rights reserved. |
OriginalFilename | SophosZap |
ProductVersion | 1.8 |
ProductName | SophosZap |
Translation | 0x0409 0x04b0 |
Language of compilation system | Country where language is spoken | Map |
---|---|---|
English | United States |
Click to jump to process
Click to jump to process
Click to jump to process
Target ID: | 1 |
Start time: | 09:33:11 |
Start date: | 22/04/2025 |
Path: | C:\Users\user\Desktop\SophosZap(1).exe |
Wow64 process (32bit): | true |
Commandline: | |
Imagebase: | 0xa0000 |
File size: | 3'543'408 bytes |
MD5 hash: | E8EC1B452253493FEE6C02EA1BC8773D |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | low |
Has exited: | false |
Target ID: | 2 |
Start time: | 09:33:11 |
Start date: | 22/04/2025 |
Path: | C:\Windows\System32\conhost.exe |
Wow64 process (32bit): | false |
Commandline: | |
Imagebase: | 0x7ff7bdef0000 |
File size: | 1'040'384 bytes |
MD5 hash: | 9698384842DA735D80D278A427A229AB |
Has elevated privileges: | true |
Has administrator privileges: | true |
Programmed in: | C, C++ or other language |
Reputation: | moderate |
Has exited: | false |