File name:

UPX_Unpackers.rar

Full analysis: https://app.any.run/tasks/607274f1-6f66-4bef-80f2-ca538518098a
Verdict: Malicious activity
Analysis date: August 10, 2018, 13:46:29
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-rar
File info: RAR archive data, v4, os: Win32
MD5:

F17B1C27070F8AECC31FBCE985E1C2CC

SHA1:

043AA4471502D730F040F6508BB8A9DD68BD42F1

SHA256:

CC13A6BB20474696A0CFC111576C1F1BACCD2C0A01F66E013CA08909BC885EA7

SSDEEP:

49152:wLOXXCV8QmXL83M5KXTZuSxIOXgiGgLS51h85EswGpM:yKXCmNXLf5KjZ/mcgiGgLQzKEs1pM

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 372)
      • testing_1.exe (PID: 2284)
      • testing_2.exe (PID: 2084)
      • deUPX.exe (PID: 1640)
      • deUPX.exe (PID: 3140)

    • Application was dropped or rewritten from another process

      • Exe2Aut.exe (PID: 2560)
      • testing_1.exe (PID: 2284)
      • Exe2Aut.exe (PID: 3640)
      • testing_2.exe (PID: 2084)
      • UPXUP.exe (PID: 3940)
      • UPXUP.exe (PID: 1512)
      • upx.exe (PID: 3792)
      • deUPX.exe (PID: 1640)
      • deSimpleUPXCryptor.exe (PID: 2396)
      • upxf.exe (PID: 1224)
      • upx-ripper.exe (PID: 2844)
      • upx.exe (PID: 2108)
      • upx.exe (PID: 4004)
      • $hit Die.exe (PID: 3440)
      • deUPX.exe (PID: 3140)

  • SUSPICIOUS

    • Application launched itself

      • WinRAR.exe (PID: 2268)

    • Executable content was dropped or overwritten

      • Exe2Aut.exe (PID: 2560)
      • WinRAR.exe (PID: 1936)
      • deSimpleUPXCryptor.exe (PID: 2396)

  • INFO

    • Dropped object may contain URL's

      • WinRAR.exe (PID: 1936)

    • Dropped object may contain Bitcoin addresses

      • WinRAR.exe (PID: 1936)

    • Application was crashed

      • upx-ripper.exe (PID: 2844)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.rar | RAR compressed archive (v-4.x) (58.3)
.rar | RAR compressed archive (gen) (41.6)

EXIF

ZIP

CompressedSize: 39184
UncompressedSize: 172032
OperatingSystem: Win32
ModifyDate: 2009:08:01 03:56:27
PackingMethod: Best Compression
ArchivedFileName: RLdeUPX 1.x-3.x\deUPX.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
76
Monitored processes
19
Malicious processes
8
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe no specs winrar.exe searchprotocolhost.exe no specs exe2aut.exe testing_1.exe no specs exe2aut.exe no specs testing_2.exe no specs upxup.exe no specs upxup.exe no specs upx.exe no specs deupx.exe no specs desimpleupxcryptor.exe upxf.exe no specs upx-ripper.exe upx.exe no specs upx.exe no specs $hit die.exe no specs deupx.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
372"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe10_ Global\UsGthrCtrlFltPipeMssGthrPipe10 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\searchprotocolhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1224"C:\Users\admin\Desktop\UPX_Unpackers\UPXFIX by DiKeN\upxf.exe" C:\Users\admin\Desktop\UPX_Unpackers\UPXFIX by DiKeN\upxf.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\upx_unpackers\upxfix by diken\upxf.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
1512"C:\Users\admin\Desktop\UPX_Unpackers\unUPXProtector\UPXUP.exe" C:\Users\admin\Desktop\UPX_Unpackers\unUPXProtector\UPXUP.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\upx_unpackers\unupxprotector\upxup.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvbvm60.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
1640"C:\Users\admin\Desktop\UPX_Unpackers\RLdeUPX 1.x-3.x\deUPX.exe" C:\Users\admin\Desktop\UPX_Unpackers\RLdeUPX 1.x-3.x\deUPX.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\upx_unpackers\rldeupx 1.x-3.x\deupx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\users\admin\desktop\upx_unpackers\rldeupx 1.x-3.x\titanengine.dll
c:\windows\system32\imagehlp.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\psapi.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1660"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\Rar$DIa2268.237\Exe2Aut v0.11.0.0 - AutoIt3 Decompiler.rar"C:\Program Files\WinRAR\WinRAR.exeWinRAR.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
1936"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\UPX_Unpackers.rar" C:\Users\admin\Desktop\UPX_Unpackers\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2084"C:\Users\admin\Desktop\testing_2.exe" C:\Users\admin\Desktop\testing_2.exeExe2Aut.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Version:
1.1.26.00
Modules
Images
c:\users\admin\desktop\testing_2.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\winmm.dll
2108"C:\Users\admin\Desktop\UPX_Unpackers\UPX-Ripper 1.3\upx.exe" C:\Users\admin\Desktop\UPX_Unpackers\UPX-Ripper 1.3\upx.exeexplorer.exe
User:
admin
Company:
The UPX Team http://upx.sf.net
Integrity Level:
MEDIUM
Description:
UPX executable packer
Exit code:
1
Version:
1.94 beta (2006-03-11)
Modules
Images
c:\users\admin\desktop\upx_unpackers\upx-ripper 1.3\upx.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
2268"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\UPX_Unpackers.rar"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2284"C:\Users\admin\Desktop\testing_1.exe" C:\Users\admin\Desktop\testing_1.exeExe2Aut.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
0
Modules
Images
c:\users\admin\desktop\testing_1.exe
c:\systemroot\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\wsock32.dll
c:\windows\system32\ws2_32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\nsi.dll
c:\windows\system32\version.dll
Total events
4 062
Read events
3 739
Write events
316
Delete events
7

Modification events

(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(2268) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\UPX_Unpackers.rar
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(2268) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(2268) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\59\52C64B7E
Operation:writeName:@C:\Windows\System32\ieframe.dll,-10046
Value:
Internet Shortcut
(PID) Process:(1660) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
Executable files
19
Suspicious files
2
Text files
9
Unknown types
0

Dropped files

PID
Process
Filename
Type
1660WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRb1660.1306\Exe2Aut v0.11\Exe2Aut.exe
MD5:
SHA256:
2268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2268.2415\testing_2.exe
MD5:
SHA256:
2268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DRa2268.2415\testing_1.exe
MD5:
SHA256:
2268WinRAR.exeC:\Users\admin\AppData\Local\Temp\Rar$DIa2268.237\Exe2Aut v0.11.0.0 - AutoIt3 Decompiler.rarcompressed
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\RLdeUPX 1.x-3.x\deUPX.exeexecutable
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\unUPXProtector\UPXUP.exeexecutable
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\UPX 3.08w\upx.1text
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\RLdeUPX 1.x-3.x\TitanEngine.dllexecutable
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\ShitDie 0.1\Team - X.nfotext
MD5:
SHA256:
1936WinRAR.exeC:\Users\admin\Desktop\UPX_Unpackers\UPXFIX\upx.exeexecutable
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
Process
Message
upx-ripper.exe
OnDestroy or PostNcDestroy in derived class will not be
upx-ripper.exe
OnDestroy or PostNcDestroy in derived class will not be called.
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
UPX_Unpackers.rar