Edit tour
Windows
Analysis Report
ocs.exe
Overview
General Information
Detection
Score: | 48 |
Range: | 0 - 100 |
Whitelisted: | false |
Confidence: | 100% |
Signatures
AI detected suspicious sample
Machine Learning detection for sample
Contains functionality to call native functions
Contains functionality to dynamically determine API calls
Contains functionality to launch a process as a different user
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Found dropped PE file which has not been started or loaded
May sleep (evasive loops) to hinder dynamic analysis
Potential key logger detected (key state polling based)
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Uses 32bit PE files
Classification
- System is w10x64
- ocs.exe (PID: 3200 cmdline:
"C:\Users\ user\Deskt op\ocs.exe " MD5: 725DA9F8EC7B0B8316DAE970F35590EF) - cmd.exe (PID: 1196 cmdline:
C:\Windows \system32\ cmd.exe /c ""C:\User s\user\App Data\Local \Temp\A3BE .tmp\start .bat" " MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B) - conhost.exe (PID: 6152 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - runasspc.exe (PID: 2924 cmdline:
runasspc.e xe /progra m:"ocsagen tsetup.exe /S /SERVE R:192.168. 32.7 /PNUM :80 /NP /N OSPLASH /N oOcs_Conta ctLnk /NOW " /domain: "localhost " /user:"A dministrat or" /passw ord:"mitro ,1916" /qu iet MD5: 85848267B79C1BF176EEFF46EA4B3537) - runasspc.exe (PID: 2704 cmdline:
runasspc.e xe /progra m:"ocsagen tsetup.exe /S /SERVE R:192.168. 32.7 /PNUM :80 /NP /N OSPLASH /N oOcs_Conta ctLnk /NOW " /domain: "localhost " /user:"A dministrat or" /passw ord:"bk090 6!!" /quie t MD5: 85848267B79C1BF176EEFF46EA4B3537) - runasspc.exe (PID: 5624 cmdline:
runasspc.e xe /progra m:"ocsagen tsetup.exe /S /SERVE R:192.168. 32.7 /PNUM :80 /NP /N OSPLASH /N oOcs_Conta ctLnk /NOW " /domain: "localhost " /user:"A dministrat or" /passw ord:"Abell o" /quiet MD5: 85848267B79C1BF176EEFF46EA4B3537) - runasspc.exe (PID: 5508 cmdline:
runasspc.e xe /progra m:"ocsagen tsetup.exe /S /SERVE R:192.168. 32.7 /PNUM :80 /NP /N OSPLASH /N oOcs_Conta ctLnk /NOW " /domain: "localhost " /user:"A dministrat or" /passw ord:"tSyDq vEwA6UL" / quiet MD5: 85848267B79C1BF176EEFF46EA4B3537) - runasspc.exe (PID: 320 cmdline:
runasspc.e xe /progra m:"ocsagen tsetup.exe /S /SERVE R:192.168. 32.7 /PNUM :80 /NP /N OSPLASH /N oOcs_Conta ctLnk /NOW " /domain: "localhost " /user:"A dministrat or" /passw ord:"&9brA SEt-eYe" / quiet MD5: 85848267B79C1BF176EEFF46EA4B3537)
- cleanup
⊘No configs have been found
⊘No yara matches
⊘No Sigma rule has matched
⊘No Suricata rule has matched
Click to jump to signature section
Show All Signature Results
AV Detection |
---|
Source: | Integrated Neural Analysis Model: |
Source: | Joe Sandbox ML: |
Source: | Static PE information: |
Source: | Code function: |