Windows Analysis Report
Autopoisk.exe

Overview

General Information

Sample name: Autopoisk.exe
Analysis ID: 1417454
MD5: e66d46d21cfd0eebfbfd8a1d5c5b66a7
SHA1: 3256594747ccde2486667a1ea617b2555fabb8d0
SHA256: a9bda3e785367821be8aea456b52a3a722486dde3f5ab106e8b982a500850447
Infos:

Detection

Score: 5
Range: 0 - 100
Whitelisted: false
Confidence: 20%

Signatures

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
May sleep (evasive loops) to hinder dynamic analysis
PE file contains more sections than normal
PE file contains sections with non-standard names
Queries keyboard layouts
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication

Classification

Uses 32bit PE files
Source: Autopoisk.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /files/version HTTP/1.1Cache-control: no-cachePragma: no-cacheHost: upd.autopoisk.suAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET /files/version HTTP/1.1Cache-control: no-cachePragma: no-cacheHost: upd.autopoisk.suAccept: text/html, */*Accept-Encoding: identityUser-Agent: Mozilla/3.0 (compatible; Indy Library)
Source: unknown DNS traffic detected: queries for: r3.autopoisk.vin
Source: Autopoisk.exe String found in binary or memory: http://upd.autopoisk.su/files/Autopoisk-
Source: Autopoisk.exe String found in binary or memory: http://upd.autopoisk.su/files/versionU
Source: Autopoisk.exe String found in binary or memory: http://www.indyproject.org/
Source: Autopoisk.exe, 00000000.00000002.2886100080.0000000002DA0000.00000004.00001000.00020000.00000000.sdmp, Autopoisk.exe, 00000000.00000002.2886100080.0000000002E94000.00000004.00001000.00020000.00000000.sdmp String found in binary or memory: https://upd.autopoisk.su/files/version
PE file contains more sections than normal
Source: Autopoisk.exe Static PE information: Number of sections : 11 > 10
Sample file is different than original file name gathered from version info
Source: Autopoisk.exe, 00000000.00000000.1616961805.0000000000416000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilename vs Autopoisk.exe
Source: Autopoisk.exe, 00000000.00000000.1616961805.0000000000416000.00000020.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFileName vs Autopoisk.exe
Source: Autopoisk.exe Binary or memory string: OriginalFilename vs Autopoisk.exe
Source: Autopoisk.exe Binary or memory string: OriginalFileName vs Autopoisk.exe
Tries to load missing DLLs
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: msimg32.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: shfolder.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: wtsapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: security.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Section loaded: winnsi.dll Jump to behavior
Uses 32bit PE files
Source: Autopoisk.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: classification engine Classification label: clean5.winEXE@1/0@6/6
Source: Yara match File source: Autopoisk.exe, type: SAMPLE
Source: Yara match File source: 0.0.Autopoisk.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000000.1616961805.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY
Source: C:\Users\user\Desktop\Autopoisk.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Autopoisk.exe String found in binary or memory: NATS-SEFI-ADD
Source: Autopoisk.exe String found in binary or memory: NATS-DANO-ADD
Source: Autopoisk.exe String found in binary or memory: JIS_C6229-1984-b-add
Source: Autopoisk.exe String found in binary or memory: jp-ocr-b-add
Source: Autopoisk.exe String found in binary or memory: JIS_C6229-1984-hand-add
Source: Autopoisk.exe String found in binary or memory: jp-ocr-hand-add
Source: Autopoisk.exe String found in binary or memory: ISO_6937-2-add
Source: C:\Users\user\Desktop\Autopoisk.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Window found: window name: TComboBox Jump to behavior
Source: Autopoisk.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Autopoisk.exe Static file information: File size 13065007 > 1048576
Source: Autopoisk.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x259800
Source: Autopoisk.exe Static PE information: Raw size of .debug is bigger than: 0x100000 < 0x98332f
Source: Autopoisk.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
PE file contains sections with non-standard names
Source: Autopoisk.exe Static PE information: section name: .didata
Source: Autopoisk.exe Static PE information: section name: .debug
Source: C:\Users\user\Desktop\Autopoisk.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Autopoisk.exe Window / User API: threadDelayed 507 Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Window / User API: threadDelayed 3135 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Autopoisk.exe TID: 7716 Thread sleep time: -507000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe TID: 7708 Thread sleep time: -3135000s >= -30000s Jump to behavior
Queries keyboard layouts
Source: C:\Users\user\Desktop\Autopoisk.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\08070809 Jump to behavior
Source: C:\Users\user\Desktop\Autopoisk.exe Key opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04070809 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\Autopoisk.exe Last function: Thread delayed
Source: Autopoisk.exe Binary or memory string: @Idassignednumbers@IdPORT_vmnet
Source: Autopoisk.exe Binary or memory string: @Idassignednumbers@IdPORT_vmnet$@Idassignednumbers@IdPORT_genrad_mux
Source: Autopoisk.exe, 00000000.00000002.2885859929.00000000012EE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Autopoisk.exe Binary or memory string: @Winapi@Windows@DOF_PROGMAN
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1417454 Sample: Autopoisk.exe Startdate: 29/03/2024 Architecture: WINDOWS Score: 5 8 upd.autopoisk.su 2->8 10 r5.autopoisk.vin 2->10 12 4 other IPs or domains 2->12 5 Autopoisk.exe 1 2->5         started        process3 dnsIp4 14 upd.autopoisk.su 82.97.242.231, 49730, 80 TCIIR Iran (ISLAMIC Republic Of) 5->14 16 r5.autopoisk.vin 195.123.214.59 ITL-LV Bulgaria 5->16 18 4 other IPs or domains 5->18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
8.8.8.8
 unknown United States
15169 GOOGLEUS false
45.84.0.32
 r4.autopoisk.vin Russian Federation
200019 ALEXHOSTMD false
62.152.58.190
 autopoisk.vin Russian Federation
3175 CITYTELECOM-MSKRU false
38.180.38.136
 r2.autopoisk.vin United States
174 COGENT-174US false
82.97.242.231
 upd.autopoisk.su Iran (ISLAMIC Republic Of)
58224 TCIIR false
195.123.214.59
 r5.autopoisk.vin Bulgaria
50979 ITL-LV false

Contacted Domains

Name IP Active
r2.autopoisk.vin 38.180.38.136 true
r5.autopoisk.vin 195.123.214.59 true
autopoisk.vin 62.152.58.190 true
upd.autopoisk.su 82.97.242.231 true
r4.autopoisk.vin 45.84.0.32 true
r3.autopoisk.vin 38.180.38.136 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://upd.autopoisk.su/files/version false
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown