Windows Analysis Report
OCSetupHlp.dll

Overview

General Information

Sample Name: OCSetupHlp.dll
Analysis ID: 1304417
MD5: decc7db9ed870d3d3af58623f2e547ff
SHA1: 3fc6c78fa512ea948b262203cd531e57d7fe3ba4
SHA256: 2471c9fff6ad7875fb22c7ae3ffae3ac1de94e93bd1a88b19c417306eb5ca60a
Infos:

Detection

Score: 56
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for submitted file
Creates a DirectInput object (often for capturing keystrokes)
Registers a DLL
Sample execution stops while process was sleeping (likely an evasion)
Uses 32bit PE files
Tries to load missing DLLs
Program does not show much activity (idle)
Creates a process in suspended mode (likely to inject code)

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: OCSetupHlp.dll Avira: detected
Multi AV Scanner detection for submitted file
Source: OCSetupHlp.dll ReversingLabs: Detection: 70%
Uses 32bit PE files
Source: OCSetupHlp.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Source: OCSetupHlp.dll Static PE information: certificate valid
Source: OCSetupHlp.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Source: OCSetupHlp.dll String found in binary or memory: http:///?proxy;IsWow64Processkernel32GetNativeSystemInfokernel32.dllWIN7.0WSV7.0SP-64WIN6.0WSV6.0WSV
Source: OCSetupHlp.dll String found in binary or memory: http://api.opencandy.com
Source: OCSetupHlp.dll String found in binary or memory: http://curl.haxx.se/rfc/cookie_spec.html
Source: OCSetupHlp.dll String found in binary or memory: http://opencandy.com
Source: OCSetupHlp.dll String found in binary or memory: http://sdk.opencandy.com/deverrorredirect.php?sdk=%s&err=%d
Source: OCSetupHlp.dll String found in binary or memory: http://stats.opencandy.com/
Source: OCSetupHlp.dll String found in binary or memory: http://stats.opencandy.com/&debug=&k=&partner_key=&v=OCVBValidateFFRXFWCHECKASCHECKAVCHECKCMPFCRESRC
Source: OCSetupHlp.dll String found in binary or memory: http://www.opencandy.com/successful-integration/.
Source: OCSetupHlp.dll String found in binary or memory: http://www.opencandy.comMsg_HelpUrlInstallation
Creates a DirectInput object (often for capturing keystrokes)
Source: loaddll32.exe, 00000000.00000002.265767305.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/> memstr_ffe2c7d9-c
Uses 32bit PE files
Source: OCSetupHlp.dll Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE, DLL
Tries to load missing DLLs
Source: C:\Windows\SysWOW64\regsvr32.exe Section loaded: sfc.dll Jump to behavior
Source: OCSetupHlp.dll ReversingLabs: Detection: 70%
Source: OCSetupHlp.dll Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Windows\System32\loaddll32.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal56.winDLL@14/0@0/0
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1
Source: unknown Process created: C:\Windows\System32\loaddll32.exe loaddll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll"
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\OCSetupHlp.dll
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllCanUnloadNow
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllGetClassObject
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllInstall
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1 Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\OCSetupHlp.dll Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllCanUnloadNow Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllGetClassObject Jump to behavior
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe C:\Users\user\Desktop\OCSetupHlp.dll,DllInstall Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1 Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7028:120:WilError_01
Source: OCSetupHlp.dll Static PE information: certificate valid
Source: OCSetupHlp.dll Static PE information: DYNAMIC_BASE, NX_COMPAT
Registers a DLL
Source: C:\Windows\System32\loaddll32.exe Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /i /s C:\Users\user\Desktop\OCSetupHlp.dll
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Windows\System32\loaddll32.exe Thread delayed: delay time: 120000 Jump to behavior
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\rundll32.exe rundll32.exe "C:\Users\user\Desktop\OCSetupHlp.dll",#1 Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1304417 Sample: OCSetupHlp.dll Startdate: 06/09/2023 Architecture: WINDOWS Score: 56 19 Antivirus / Scanner detection for submitted sample 2->19 21 Multi AV Scanner detection for submitted file 2->21 7 loaddll32.exe 1 2->7         started        process3 process4 9 cmd.exe 1 7->9         started        11 regsvr32.exe 4 7->11         started        13 rundll32.exe 7->13         started        15 3 other processes 7->15 process5 17 rundll32.exe 9->17         started       
No contacted IP infos