PUP.Bat2Exe.F

By CagedTech in Potentially Unwanted Programs

Table of Contents

Analysis Report

General information

Family Name:	PUP.Bat2Exe.F
Packers:	UPX
Signature status:	No Signature

Known Samples

MD5: 741afcf7fdb1dbda0e858b427481aaed

SHA1: c9f33a7413ce1fccf6826bd645c371107a8984ab

SHA256: 28C25FC93D8DACFF158A07D9744BA7070BBC16D43597E8CAD114AB09B64EDBD8

File Size: 82.94 KB, 82944 bytes

MD5: 93b2ab4476b9375e3d91dece51ba162e

SHA1: 84c319c8f35c2d1d7fcade79a482ff01857f9818

SHA256: 3A5DBCF74EBB20B1439A41E8D506C14B96F4C8CCA821AD80219425528ABA471A

File Size: 12.80 KB, 12800 bytes

MD5: 6dfc4ed97dd029cd66af99233a6e348b

SHA1: 54769a98d1a521eaa4142f6fe5b87568b4c75d5e

SHA256: ECCAC361C7D7B649974FD89A38FAEEEED18A46DD3558D50A392F2EAA5EA02CFA

File Size: 76.29 KB, 76288 bytes

MD5: 597efb3c5f10b92812af0a1f70758017

SHA1: 6316bddf326382cc51a17fcdb99581898a398ccd

SHA256: 684B1902D0CE1A3EC2A2DFF82872E0AEBFE9920595BE2D217DF07D667510F679

File Size: 9.22 KB, 9216 bytes

Windows Portable Executable Attributes

File doesn't have "Rich" header
File doesn't have debug information
File doesn't have exports table
File doesn't have relocations information
File doesn't have security information
File has been packed
File is 32-bit executable
File is either console or GUI application
File is GUI application (IMAGE_SUBSYSTEM_WINDOWS_GUI)
File is Native application (NOT .NET application)

IMAGE_FILE_DLL is not set inside PE header (Executable)
IMAGE_FILE_EXECUTABLE_IMAGE is set inside PE header (Executable Image)

File Icons

Windows PE Version Information

Name	Value
File Version	1,0,0,0

File Traits

2+ executable sections
No Version Info
packed
x86

Block Information

Total Blocks:	16
Potentially Malicious Blocks:	0
Whitelisted Blocks:	16
Unknown Blocks:	0

Visual Map

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0

0 - Probable Safe Block
? - Unknown Block
x - Potentially Malicious Block

Similar Families

Bat2Exe.F
Downloader.Agent.D

Files Modified

File	Attributes
c:\users\user\appdata\local\temp\1d0e.tmp\b2e.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\1fbe.tmp\batchfile.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2b6c.tmp\b2e.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\2dfd.tmp\batchfile.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\a822.tmp\b2e.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ab2f.tmp\batchfile.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\ef72.tmp\b2e.exe	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\f231.tmp\batchfile.bat	Generic Write,Read Attributes
c:\users\user\appdata\local\temp\selfdel0.bat	Generic Write,Read Attributes

Registry Modifications

Key::Value	Data	API Name
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鰂ȁ獖}	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75	榀⬉ʾ鬎ʂ䈛x䀣ʲ茣ǧ숤ʨ䠱O᤹˃噀ñ뽹ɞ傄ë횎ǜɼķ鶝꾢ʊ閾ʴ淃駃ó⟋ʪ䧌V柏ũߙĤ¶⣳ġjᰂŁ鈄ĞꀌʎἘě鍂ꩠŖÉ窵ň	RegNtPreCreateKey

HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::proxybypass		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::intranetname		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::uncasintranet		RegNtPreCreateKey
HKCU\software\microsoft\windows\currentversion\internet settings\zonemap::autodetect		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	៚漠ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鰅ȁ攘ť獖} 偫~ 엦1eꙥܰ엦1¶iꙥr=֢vꙥ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	鲀ȁਪˣ鈯ˣ遙̃豤̃অˣ炑̃濖̃賬̃獖}਷ˣ邯̃뫯ʃ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	뉀蜤玧ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	졖ﱼ西ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	掠﹞西ǜ	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc3475	闶ȁ ਪˣ鈯ˣ遙̃豤̃অˣ炑̃龡^濖̃賬̃獖}偫~엦1਷ˣ邯̃뫯ʃe¶r ֢	RegNtPreCreateKey
HKLM\software\microsoft\windows nt\currentversion\notifications\data::418a073aa3bc1c75		RegNtPreCreateKey
HKLM\system\controlset001\services\bam\state\usersettings\s-1-5-21-3119368278-1123331430-659265220-1001::\device\harddiskvolume2\windows\system32\conhost.exe	溕琌늊ǜ	RegNtPreCreateKey

Windows API Usage

Category	API
Anti Debug	IsDebuggerPresent
User Data Access	GetUserObjectInformation
Process Manipulation Evasion	NtUnmapViewOfSection
Process Shell Execute	ShellExecute ShellExecuteEx WriteConsole
Syscall Use	ntdll.dll!NtAccessCheck ntdll.dll!NtAlertThreadByThreadId ntdll.dll!NtAlpcConnectPortEx ntdll.dll!NtAlpcQueryInformation ntdll.dll!NtAlpcSendWaitReceivePort ntdll.dll!NtApphelpCacheControl ntdll.dll!NtAssociateWaitCompletionPacket ntdll.dll!NtClearEvent ntdll.dll!NtClose ntdll.dll!NtConnectPort Show More ntdll.dll!NtCreateEvent ntdll.dll!NtCreateFile ntdll.dll!NtCreateMutant ntdll.dll!NtCreateSection ntdll.dll!NtCreateSemaphore ntdll.dll!NtDeviceIoControlFile ntdll.dll!NtDuplicateObject ntdll.dll!NtDuplicateToken ntdll.dll!NtEnumerateKey ntdll.dll!NtEnumerateValueKey ntdll.dll!NtFreeVirtualMemory ntdll.dll!NtMapViewOfSection ntdll.dll!NtOpenDirectoryObject ntdll.dll!NtOpenEvent ntdll.dll!NtOpenFile ntdll.dll!NtOpenKey ntdll.dll!NtOpenKeyEx ntdll.dll!NtOpenMutant ntdll.dll!NtOpenProcessToken ntdll.dll!NtOpenProcessTokenEx ntdll.dll!NtOpenSection ntdll.dll!NtOpenSemaphore ntdll.dll!NtOpenThreadToken ntdll.dll!NtOpenThreadTokenEx ntdll.dll!NtProtectVirtualMemory ntdll.dll!NtQueryAttributesFile ntdll.dll!NtQueryInformationProcess ntdll.dll!NtQueryInformationThread ntdll.dll!NtQueryInformationToken ntdll.dll!NtQueryKey ntdll.dll!NtQueryPerformanceCounter ntdll.dll!NtQuerySecurityAttributesToken ntdll.dll!NtQuerySecurityObject ntdll.dll!NtQuerySystemInformation ntdll.dll!NtQueryValueKey ntdll.dll!NtQueryVirtualMemory ntdll.dll!NtQueryVolumeInformationFile ntdll.dll!NtQueryWnfStateData ntdll.dll!NtReleaseMutant ntdll.dll!NtReleaseSemaphore ntdll.dll!NtReleaseWorkerFactoryWorker ntdll.dll!NtRequestWaitReplyPort ntdll.dll!NtSetEvent ntdll.dll!NtSetInformationKey ntdll.dll!NtSetInformationProcess ntdll.dll!NtSetInformationVirtualMemory ntdll.dll!NtSetInformationWorkerFactory ntdll.dll!NtSetTimer2 ntdll.dll!NtSubscribeWnfStateChange ntdll.dll!NtTestAlert ntdll.dll!NtTraceControl ntdll.dll!NtUnmapViewOfSection ntdll.dll!NtUnmapViewOfSectionEx ntdll.dll!NtWaitForAlertByThreadId ntdll.dll!NtWaitForMultipleObjects ntdll.dll!NtWaitForSingleObject ntdll.dll!NtWaitForWorkViaWorkerFactory ntdll.dll!NtWaitLowEventPair ntdll.dll!NtWorkerFactoryWorkerReady ntdll.dll!NtWriteFile UNKNOWN
Process Terminate	TerminateProcess

Shell Command Execution


							open C:\Users\Pwjkoeng\AppData\Local\Temp\2B6C.tmp\b2e.exe C:\Users\Pwjkoeng\AppData\Local\Temp\2B6C.tmp\b2e.exe c:\users\user\downloads "c:\users\user\downloads\c9f33a7413ce1fccf6826bd645c371107a8984ab_0000082944"


							open C:\Users\Pwjkoeng\AppData\Local\Temp\2DFD.tmp\batchfile.bat


							WriteConsole: The system canno


							WriteConsole: The system canno


							WriteConsole: The system canno


									WriteConsole: Could Not Find c


									WriteConsole: The system canno


									WriteConsole: The system canno


									WriteConsole: 'w.bat' is not r


									WriteConsole: goto was unexpec


									open C:\Users\Pwjkoeng\AppData\Local\Temp\selfdel0.bat


									open C:\Users\Qcyhfkna\AppData\Local\Temp\1D0E.tmp\b2e.exe C:\Users\Qcyhfkna\AppData\Local\Temp\1D0E.tmp\b2e.exe c:\users\user\downloads "c:\users\user\downloads\84c319c8f35c2d1d7fcade79a482ff01857f9818_0000012800"


									open C:\Users\Qcyhfkna\AppData\Local\Temp\1FBE.tmp\batchfile.bat


									open C:\Users\Smntfksk\AppData\Local\Temp\A822.tmp\b2e.exe C:\Users\Smntfksk\AppData\Local\Temp\A822.tmp\b2e.exe c:\users\user\downloads "c:\users\user\downloads\54769a98d1a521eaa4142f6fe5b87568b4c75d5e_0000076288"


									open C:\Users\Smntfksk\AppData\Local\Temp\AB2F.tmp\batchfile.bat


									WriteConsole: c:\users\user\do


									WriteConsole: The syntax of th


									WriteConsole: c:\Users\user\do


									WriteConsole: === Backup Data


									WriteConsole: 'exp' is not rec


									open C:\Users\Smntfksk\AppData\Local\Temp\selfdel0.bat


									open C:\Users\Jqgpnhbn\AppData\Local\Temp\EF72.tmp\b2e.exe C:\Users\Jqgpnhbn\AppData\Local\Temp\EF72.tmp\b2e.exe c:\users\user\downloads "c:\users\user\downloads\6316bddf326382cc51a17fcdb99581898a398ccd_0000009216"


									open C:\Users\Jqgpnhbn\AppData\Local\Temp\F231.tmp\batchfile.bat


									WriteConsole: ****************


									WriteConsole:


									WriteConsole:       - SwissMan


									WriteConsole:       ( CRO Rati


									WriteConsole:     obnavlja sta


									WriteConsole:         na C-dis


									WriteConsole: Press any key to


									WriteConsole:     Administrato


									WriteConsole:     pravo Ime ko


									WriteConsole:     za odustajan


									WriteConsole:             xxx


									WriteConsole:     koncentriraj


									WriteConsole: Ubaci sistemsko

EnigmaSoft’s Payment Processor Digital River GmbH Filing for Bankruptcy Does Not Impact SpyHunter Customers’ Anti-Malware Protection

Search

Change Region

PUP.Bat2Exe.F

Analysis Report

General information

Known Samples

Known Samples

Windows Portable Executable Attributes

Windows Portable Executable Attributes

File Icons

File Icons

Windows PE Version Information

Windows PE Version Information

File Traits

Block Information

Block Information

Visual Map

Similar Families

Similar Families

Files Modified

Files Modified

Registry Modifications

Registry Modifications

Windows API Usage

Windows API Usage

Shell Command Execution

Shell Command Execution

Submit Comment

Trending

Kinderbetreuungholzwarth.de

'Policija un Drošības Policija' Ransomware

Atradsllc.com

Most Viewed

How To Fix 'Printer Driver is Unavailable' Error

How to Fix 'macOS cannot verify that this app is...

Discord Shows Black Screen when Sharing Screen