Analysis Report SophosSetup (9).exe

Overview

General Information

Sample Name: SophosSetup (9).exe
Analysis ID: 413056
MD5: 070002b28e379e0c362f0e69ecd6d60b
SHA1: db19c547d7231362040c8ff10c92451e059c3ef2
SHA256: c92892ee1c9a44469650f5575e64c11fa08f44bcdf61c49e19a2714e2b6a7f5b
Infos:

Most interesting Screenshot:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Drops PE files
Found potential string decryption / allocating functions
PE file contains an invalid checksum
PE file contains executable resources (Code or Archives)
PE file contains strange resources
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)

Classification

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009D9C53 __EH_prolog3,CertCreateCertificateContext,__EH_prolog3_GS,CryptStringToBinaryA,CryptStringToBinaryA, 3_2_009D9C53

Compliance:

barindex
Uses 32bit PE files
Source: SophosSetup (9).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142940.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142943.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142946.log Jump to behavior
Source: SophosSetup (9).exe Static PE information: certificate valid
Source: SophosSetup (9).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\workspace\_bin\Win32\Release\SafeLauncher.pdb source: SophosSetup (9).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Setup.pdb source: SophosSetup (9).exe
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009EFF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 3_2_009EFF2C
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B4FF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 6_2_00B4FF2C
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F4FF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 8_2_00F4FF2C
Source: Setup.exe, 00000003.00000002.246648079.0000000002F86000.00000004.00000040.sdmp String found in binary or memory: http://cacerts.d_
Source: SophosSetup (9).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SophosSetup (9).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SophosSetup (9).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SophosSetup (9).exe String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: Setup.exe, 00000003.00000003.207461057.0000000002CC0000.00000004.00000001.sdmp, Setup.exe, 00000006.00000003.214179711.00000000008C2000.00000004.00000001.sdmp, Setup.exe, 00000008.00000002.228992339.00000000008F7000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: SophosSetup (9).exe String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SophosSetup (9).exe String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SophosSetup (9).exe String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SophosSetup (9).exe String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: Setup.exe, 00000006.00000002.238159203.0000000000AE6000.00000004.00000040.sdmp String found in binary or memory: http://crl4.digicert.
Source: SophosSetup (9).exe String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SophosSetup (9).exe String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SophosSetup (9).exe String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SophosSetup (9).exe String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: Setup.exe, 00000003.00000002.247044892.0000000004BE2000.00000004.00000001.sdmp, Setup.exe, 00000008.00000002.230087964.0000000004AB2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.dig
Source: Setup.exe, 00000003.00000002.246648079.0000000002F86000.00000004.00000040.sdmp String found in binary or memory: http://ocsp.digicert.c#
Source: SophosSetup (9).exe String found in binary or memory: http://ocsp.digicert.com0C
Source: SophosSetup (9).exe String found in binary or memory: http://ocsp.digicert.com0H
Source: SophosSetup (9).exe String found in binary or memory: http://ocsp.digicert.com0I
Source: SophosSetup (9).exe String found in binary or memory: http://ocsp.digicert.com0O
Source: Setup.exe, 00000006.00000002.242624835.0000000004AA2000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digy
Source: SophosSetup (9).exe String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SophosSetup (9).exe String found in binary or memory: http://www.emtype.nethttp://www.emtype.net/emtype_eula.phpSophos
Source: SophosSetup (9).exe String found in binary or memory: https://www.digicert.com/CPS0
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/de-de/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/en-us/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/es-es/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/fr-fr/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/it-it/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/ja-jp/legal.aspx
Source: SophosSetup (9).exe String found in binary or memory: https://www.sophos.com/zh-cn/legal.aspx

System Summary:

barindex
Detected potential crypto function
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009A70DD 3_2_009A70DD
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A212F9 3_2_00A212F9
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009DD2FD 3_2_009DD2FD
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A0A3C0 3_2_00A0A3C0
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A28319 3_2_00A28319
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009DB368 3_2_009DB368
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A28439 3_2_00A28439
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A0F89D 3_2_00A0F89D
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A268C8 3_2_00A268C8
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009A7847 3_2_009A7847
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A15A90 3_2_00A15A90
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A1EA74 3_2_00A1EA74
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A13B36 3_2_00A13B36
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B070DD 6_2_00B070DD
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B07847 6_2_00B07847
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B6A3C0 6_2_00B6A3C0
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F070DD 8_2_00F070DD
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F07847 8_2_00F07847
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F6A3C0 8_2_00F6A3C0
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: String function: 00B527C4 appears 95 times
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: String function: 00B527F8 appears 64 times
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: String function: 00F527F8 appears 65 times
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: String function: 00F527C4 appears 95 times
Source: C:\Users\user\Desktop\SophosSetup (9).exe Code function: String function: 001F1DE0 appears 40 times
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: String function: 009F3000 appears 32 times
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: String function: 00996B45 appears 88 times
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: String function: 009F27C4 appears 129 times
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: String function: 009956EF appears 47 times
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: String function: 009F27F8 appears 118 times
PE file contains executable resources (Code or Archives)
Source: SophosSetup (9).exe Static PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
PE file contains strange resources
Source: SophosSetup (9).exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.1.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Setup.exe.7.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: SophosSetup (9).exe, 00000001.00000002.247237400.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe, 00000001.00000002.247237400.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSophosSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe, 00000005.00000000.210490013.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe, 00000005.00000000.210490013.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSophosSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe, 00000007.00000002.230259316.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe, 00000007.00000002.230259316.0000000000225000.00000002.00020000.sdmp Binary or memory string: OriginalFilenameSophosSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe Binary or memory string: OriginalFilenameSetup.exeD vs SophosSetup (9).exe
Source: SophosSetup (9).exe Binary or memory string: OriginalFilenameSophosSetup.exeD vs SophosSetup (9).exe
Uses 32bit PE files
Source: SophosSetup (9).exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Source: classification engine Classification label: clean5.winEXE@9/9@0/0
Source: C:\Users\user\Desktop\SophosSetup (9).exe Code function: 1_2_001F1260 HeapReAlloc,ConvertStringSecurityDescriptorToSecurityDescriptorW,FindResourceW,LoadResource,LockResource,SizeofResource,CreateFileW,WriteFile,CloseHandle,HeapAlloc,HeapAlloc,HeapAlloc,HeapFree,HeapFree,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapAlloc,HeapFree,HeapAlloc,GetStartupInfoW,CreateProcessW,WaitForSingleObject,GetExitCodeProcess,CloseHandle,CloseHandle,CloseHandle,HeapFree,HeapFree, 1_2_001F1260
Source: C:\Users\user\Desktop\SophosSetup (9).exe File created: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400 Jump to behavior
Source: SophosSetup (9).exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\SophosSetup (9).exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Setup.exe String found in binary or memory: full/central/windows/business/installer/
Source: SophosSetup (9).exe String found in binary or memory: #\.\.\. (\w+) ([A-Za-z0-9/+=]+)\n#sig (\w+) ([A-Za-z0-9/+=]+)\ncert[BADSIG]: [BADFILE]: : '[VE_BADCERT]: Running setup.SetHandleInformation failed: CreatePipe failed: ReadFile failed: Failed to run setup program. CreateProcess failed: )Unexpected bytes_read failed: Unexpected size field value: (expected Failed to retrieve the exit code for the Setup programFailed to retrieve the exit code for the Setup program! Error code (for GetExitCodeProcess): Setup program failed with code: No value was provided for --customertokenNo value was provided for --epinstallerserver No value was provided for --productsNon string value provided for Content-Typeapplication/json; charset=utf-8Failed to get stage-2 infoapi/download/stage2-details/Failed to get stage-2 info: . Status code: stage1_version1.10.305.0Parsing message received for Stage 2 filename: 'processor_architectureJson content was :Error parsing json file for Stage 2 filename: mcs_serverstage2_filenamedeprecated_stage_1errorFailed to get stage 2 details: Stage 2 details suggest an expired Stage was used.Failed to get stage 2 details: Unrecognised or insufficient content.application/gzipdownloads.sophos.comfull/central/windows/business/installer/AcceptFailed to download stage-2 archive. Status code: 404 error indicating potentially expired stage 1Failed to download stage-2 archive: ReOpenFile failed (intermediate_handle): Extracting files:ReOpenFile failed (new_handle): Extraction failure.Failed to read long filename.Extraction failureMissing file after long filename.failed to read long filenameFailed to open file.Missing file after long filenameCan't write to file.Failed to open filecan't write to file\"
Source: SophosSetup (9).exe String found in binary or memory: "setup.failure.launch": "Failed to run the system pre-installation checks.",
Source: SophosSetup (9).exe String found in binary or memory: "setup.progress.running_prechecks": "Pre-installation checks...",
Source: SophosSetup (9).exe String found in binary or memory: stato possibile effettuare i controlli pre-installazione.",
Source: SophosSetup (9).exe String found in binary or memory: "setup.progress.running_prechecks": "Controlli pre-installazione...",
Source: unknown Process created: C:\Users\user\Desktop\SophosSetup (9).exe 'C:\Users\user\Desktop\SophosSetup (9).exe' -install
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe' -install
Source: unknown Process created: C:\Users\user\Desktop\SophosSetup (9).exe 'C:\Users\user\Desktop\SophosSetup (9).exe' /install
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe' /install
Source: unknown Process created: C:\Users\user\Desktop\SophosSetup (9).exe 'C:\Users\user\Desktop\SophosSetup (9).exe' /load
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe' /load
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe' -install Jump to behavior
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe' /install Jump to behavior
Source: C:\Users\user\Desktop\SophosSetup (9).exe Process created: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe 'C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe' /load Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Automated click: OK
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Automated click: OK
Source: SophosSetup (9).exe Static PE information: certificate valid
Source: SophosSetup (9).exe Static file information: File size 1565616 > 1048576
Source: SophosSetup (9).exe Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x175c00
Source: SophosSetup (9).exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: SophosSetup (9).exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\workspace\_bin\Win32\Release\SafeLauncher.pdb source: SophosSetup (9).exe
Source: Binary string: C:\workspace\_bin\Win32\Release\Setup.pdb source: SophosSetup (9).exe

Data Obfuscation:

barindex
PE file contains an invalid checksum
Source: SophosSetup (9).exe Static PE information: real checksum: 0x63e1d4 should be: 0x1897be
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009F278D push ecx; ret 3_2_009F27A0
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A2BCF4 push ecx; ret 3_2_00A2BD09
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B8BCF4 push ecx; ret 6_2_00B8BD09
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B5278D push ecx; ret 6_2_00B527A0
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F8BCF4 push ecx; ret 8_2_00F8BD09
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F5278D push ecx; ret 8_2_00F527A0

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Users\user\Desktop\SophosSetup (9).exe File created: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SophosSetup (9).exe File created: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Jump to dropped file
Source: C:\Users\user\Desktop\SophosSetup (9).exe File created: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142940.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142943.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe File created: C:\ProgramData\Sophos\CloudInstaller\Logs\SophosCloudInstaller_20210513_142946.log Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009EFF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 3_2_009EFF2C
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B4FF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 6_2_00B4FF2C
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F4FF2C FindFirstFileExW,__Read_dir,FindClose,std::tr2::sys::_Strcpy, 8_2_00F4FF2C

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A0D414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A0D414
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A0D0BB mov eax, dword ptr fs:[00000030h] 3_2_00A0D0BB
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A1AE06 mov eax, dword ptr fs:[00000030h] 3_2_00A1AE06
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B6D0BB mov eax, dword ptr fs:[00000030h] 6_2_00B6D0BB
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B7AE06 mov eax, dword ptr fs:[00000030h] 6_2_00B7AE06
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F6D0BB mov eax, dword ptr fs:[00000030h] 8_2_00F6D0BB
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F7AE06 mov eax, dword ptr fs:[00000030h] 8_2_00F7AE06
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SophosSetup (9).exe Code function: 1_2_001F2210 EntryPoint,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetProcessHeap,GetCommandLineW,HeapAlloc,HeapAlloc,HeapFree,HeapFree,HeapFree, 1_2_001F2210
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00A0D414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 3_2_00A0D414
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_009F2A25 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 3_2_009F2A25
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B52A25 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_00B52A25
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: 6_2_00B6D414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_00B6D414
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F52A25 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 8_2_00F52A25
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: 8_2_00F6D414 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 8_2_00F6D414
Source: C:\Users\user\Desktop\SophosSetup (9).exe Code function: 1_2_001F2210 EntryPoint,AllocateAndInitializeSid,CheckTokenMembership,FreeSid,GetProcessHeap,GetCommandLineW,HeapAlloc,HeapAlloc,HeapFree,HeapFree,HeapFree, 1_2_001F2210

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: EnumSystemLocalesW, 3_2_00A250FD
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: EnumSystemLocalesW, 3_2_00A25017
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: EnumSystemLocalesW, 3_2_00A25062
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: EnumSystemLocalesW, 3_2_00A1B48D
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 3_2_00A25516
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 3_2_00A256EB
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: GetLocaleInfoW, 3_2_00A1B973
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 3_2_00A24D6F
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: EnumSystemLocalesW, 6_2_00B850FD
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: EnumSystemLocalesW, 6_2_00B85017
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: EnumSystemLocalesW, 6_2_00B85062
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: GetLocaleInfoW, 6_2_00B7B973
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: EnumSystemLocalesW, 6_2_00B7B48D
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 6_2_00B85516
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 6_2_00B84D6F
Source: C:\Users\user\AppData\Local\Temp\sfl-5b4b6400\Setup.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 6_2_00B856EB
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: EnumSystemLocalesW, 8_2_00F850FD
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: EnumSystemLocalesW, 8_2_00F85062
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: EnumSystemLocalesW, 8_2_00F85017
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: GetLocaleInfoW, 8_2_00F7B973
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: EnumSystemLocalesW, 8_2_00F7B48D
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 8_2_00F84D6F
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 8_2_00F85516
Source: C:\Users\user\AppData\Local\Temp\sfl-1bfb6400\Setup.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 8_2_00F856EB
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Code function: 3_2_00999ADA __EH_prolog3_GS,GetLastError,GetSystemTimeAsFileTime,SetLastError, 3_2_00999ADA
Source: C:\Users\user\AppData\Local\Temp\sfl-9a9a6400\Setup.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 413056 Sample: SophosSetup (9).exe Startdate: 13/05/2021 Architecture: WINDOWS Score: 5 5 SophosSetup (9).exe 3 2->5         started        8 SophosSetup (9).exe 3 2->8         started        10 SophosSetup (9).exe 3 2->10         started        file3 18 C:\Users\user\AppData\Local\...\Setup.exe, PE32 5->18 dropped 12 Setup.exe 4 5->12         started        20 C:\Users\user\AppData\Local\...\Setup.exe, PE32 8->20 dropped 14 Setup.exe 1 8->14         started        22 C:\Users\user\AppData\Local\...\Setup.exe, PE32 10->22 dropped 16 Setup.exe 1 10->16         started        process4
No contacted IP infos