analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

upsupx.exe

Full analysis: https://app.any.run/tasks/8004c01b-60d3-4385-aee0-66229c009831
Verdict: Malicious activity
Threats:

Trojans are a group of malicious programs distinguished by their ability to masquerade as benign software. Depending on their type, trojans possess a variety of capabilities, ranging from maintaining full remote control over the victim’s machine to stealing data and files, as well as dropping other malware. At the same time, the main functionality of each trojan family can differ significantly depending on its type. The most common trojan infection chain starts with a phishing email.

Malware Trends Tracker     >>>
Analysis date: April 15, 2019, 09:46:00
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
trojan
MIME: application/x-dosexec
File info: PE32 executable (console) Intel 80386, for MS Windows, UPX compressed
MD5:

147BA798E448EB3CAA7E477E7FB3A959

SHA1:

070761EB59DE439C65FBB56C3D7A8F2FBB00A2F6

SHA256:

790C213E1227ADEFD2D564217DE86AC9FE660946E1240B5415C55770A951ABFD

SSDEEP:

6144:WtZvBntosUq/QOpVRQOh3p5JNhFX4oVzBKmkMtmZKc:snOsGOpVxh3p5JNTX7VdeMtmZK

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Creates files in the program directory

      • upsupx.exe (PID: 3084)

  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | UPX compressed Win32 Executable (64.2)
.dll | Win32 Dynamic Link Library (generic) (15.6)
.exe | Win32 Executable (generic) (10.6)
.exe | Generic Win/DOS Executable (4.7)
.exe | DOS Executable Generic (4.7)

EXIF

EXE

ProductVersion: 1.0.0.8
ProductName: TODO: <产品名>
OriginalFileName: ups.exe
LegalCopyright: Copyright (C) 2018
InternalName: ups.exe
FileVersion: 1.0.0.8
FileDescription: TODO: <文件说明>
CompanyName: TODO: <公司名>
CharacterSet: Unicode
LanguageCode: Chinese (Simplified)
FileSubtype: -
ObjectFileType: Executable application
FileOS: Windows NT 32-bit
FileFlags: (none)
FileFlagsMask: 0x003f
ProductVersionNumber: 1.0.0.8
FileVersionNumber: 1.0.0.8
Subsystem: Windows command line
SubsystemVersion: 5.1
ImageVersion: -
OSVersion: 5.1
EntryPoint: 0x87110
UninitializedDataSize: 331776
InitializedDataSize: 4096
CodeSize: 221184
LinkerVersion: 10
PEType: PE32
TimeStamp: 2019:01:22 02:09:21+01:00
MachineType: Intel 386 or later, and compatibles

Summary

Architecture: IMAGE_FILE_MACHINE_I386
Subsystem: IMAGE_SUBSYSTEM_WINDOWS_CUI
Compilation Date: 22-Jan-2019 01:09:21
Detected languages:
  • Chinese - PRC
  • English - United States
CompanyName: TODO: <公司名>
FileDescription: TODO: <文件说明>
FileVersion: 1.0.0.8
InternalName: ups.exe
LegalCopyright: Copyright (C) 2018
OriginalFilename: ups.exe
ProductName: TODO: <产品名>
ProductVersion: 1.0.0.8

DOS Header

Magic number: MZ
Bytes on last page of file: 0x0090
Pages in file: 0x0003
Relocations: 0x0000
Size of header: 0x0004
Min extra paragraphs: 0x0000
Max extra paragraphs: 0xFFFF
Initial SS value: 0x0000
Initial SP value: 0x00B8
Checksum: 0x0000
Initial IP value: 0x0000
Initial CS value: 0x0000
Overlay number: 0x0000
OEM identifier: 0x0000
OEM information: 0x0000
Address of NE header: 0x00000100

PE Headers

Signature: PE
Machine: IMAGE_FILE_MACHINE_I386
Number of sections: 3
Time date stamp: 22-Jan-2019 01:09:21
Pointer to Symbol Table: 0x00000000
Number of symbols: 0
Size of Optional Header: 0x00E0
Characteristics:
  • IMAGE_FILE_32BIT_MACHINE
  • IMAGE_FILE_EXECUTABLE_IMAGE

Sections

Name
Virtual Address
Virtual Size
Raw Size
Charateristics
Entropy
UPX0
0x00001000
0x00051000
0x00000000
IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
0
UPX1
0x00052000
0x00036000
0x00035400
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
7.9166
.rsrc
0x00088000
0x00001000
0x00000800
IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
4.10067

Resources

Title
Entropy
Size
Codepage
Language
Type
1
4.87633
393
Latin 1 / Western European
English - United States
RT_MANIFEST

Imports

ADVAPI32.dll
KERNEL32.DLL
PSAPI.DLL
USER32.dll
VERSION.dll
WININET.dll
WS2_32.dll
dbghelp.dll
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
32
Monitored processes
1
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start upsupx.exe

Process information

PID
CMD
Path
Indicators
Parent process
3084"C:\Users\admin\AppData\Local\Temp\upsupx.exe" C:\Users\admin\AppData\Local\Temp\upsupx.exe
explorer.exe
User:
admin
Company:
TODO: <公司名>
Integrity Level:
MEDIUM
Description:
TODO: <文件说明>
Version:
1.0.0.8
Modules
Images
c:\users\admin\appdata\local\temp\upsupx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\sechost.dll
c:\windows\system32\dbghelp.dll
c:\windows\system32\psapi.dll
Total events
31
Read events
13
Write events
18
Delete events
0

Modification events

(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:ConsoleTracingMask
Value:
4294901760
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:MaxFileSize
Value:
1048576
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASAPI32
Operation:writeName:FileDirectory
Value:
%windir%\tracing
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASMANCS
Operation:writeName:EnableFileTracing
Value:
0
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASMANCS
Operation:writeName:EnableConsoleTracing
Value:
0
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASMANCS
Operation:writeName:FileTracingMask
Value:
4294901760
(PID) Process:(3084) upsupx.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing\upsupx_RASMANCS
Operation:writeName:ConsoleTracingMask
Value:
4294901760
Executable files
0
Suspicious files
0
Text files
2
Unknown types
0

Dropped files

PID
Process
Filename
Type
3084upsupx.exeC:\Users\admin\AppData\Local\VirtualStore\Program Files\Common Files\xpdown.dattext
MD5:8725A1BD66A427D707179CE7B40250C4
SHA256:D7CAC81AFDD4B32B701C02CCE9F0ABB187296615BEC21C78216EA606CDD60F3C
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
10
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/kill.txt
US
text
390 b
malicious
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/ok/64.html
US
text
14 b
malicious
3084
upsupx.exe
GET
185.112.156.92:80
http://185.112.156.92/downs.exe
HU
suspicious
3084
upsupx.exe
GET
174.128.248.10:80
http://174.128.248.10/b.exe
US
suspicious
3084
upsupx.exe
GET
66.117.6.174:80
http://66.117.6.174/ups.rar
US
suspicious
3084
upsupx.exe
GET
198.148.90.34:80
http://198.148.90.34/0228.rar
US
suspicious
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/ok/down.html
US
text
13 b
malicious
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/xpdown.dat
US
binary
128 b
malicious
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/downs.txt
US
text
233 b
malicious
3084
upsupx.exe
GET
200
45.58.135.106:80
http://45.58.135.106/ok/vers.html
US
text
13 b
malicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3084
upsupx.exe
45.58.135.106:80
Sharktech
US
malicious
3084
upsupx.exe
66.117.6.174:80
Corporate Colocation Inc.
US
suspicious
3084
upsupx.exe
185.112.156.92:80
DoclerWeb Kft.
HU
suspicious
3084
upsupx.exe
198.148.90.34:80
Sharktech
US
suspicious
3084
upsupx.exe
174.128.248.10:80
Sharktech
US
suspicious

DNS requests

No data

Threats

PID
Process
Class
Message
3084
upsupx.exe
A Network Trojan was detected
MALWARE [PTsecurity] Backdoor.Win32.Mocker
3084
upsupx.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3084
upsupx.exe
A Network Trojan was detected
ET INFO Executable Download from dotted-quad Host
3084
upsupx.exe
A Network Trojan was detected
ET TROJAN Single char EXE direct download likely trojan (multiple families)
3084
upsupx.exe
Potentially Bad Traffic
ET CURRENT_EVENTS Terse alphanumeric executable downloader high likelihood of being hostile
3084
upsupx.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3084
upsupx.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
3084
upsupx.exe
Generic Protocol Command Decode
SURICATA STREAM excessive retransmissions
3084
upsupx.exe
Potential Corporate Privacy Violation
ET POLICY PE EXE or DLL Windows file download HTTP
3084
upsupx.exe
Potentially Bad Traffic
ET INFO SUSPICIOUS Dotted Quad Host MZ Response
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
upsupx.exe