File name:

samsam

Full analysis: https://app.any.run/tasks/301d62a8-23b5-4594-8c9d-51d19b4dec1a
Verdict: Malicious activity
Analysis date: November 30, 2024, 12:39:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:

4C8FB28A68168430FD447BA1B92F4F42

SHA1:

DFA673BFBF644EAEF6DC6C70FF8DB4CEED2DB8F1

SHA256:

6BC2AA391B8EF260E79B99409E44011874630C2631E4487E82B76E5CB0A49307

SSDEEP:

6144:u7FMVY8SHYEWFx0fQCtnFa9bc/OF4db5Ci8m9dk9:uH8+YEovCFKbc/hp

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Deletes shadow copies

      • samsam.exe (PID: 1632)

    • Actions looks like stealing of personal data

      • samsam.exe (PID: 1632)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • samsam.exe (PID: 1632)

  • INFO

    • Reads the computer name

      • wmpnscfg.exe (PID: 1836)
      • selfdel.exe (PID: 1916)

    • Checks supported languages

      • samsam.exe (PID: 1632)
      • selfdel.exe (PID: 1916)
      • wmpnscfg.exe (PID: 1836)

    • Manual execution by a user

      • wmpnscfg.exe (PID: 1836)

    • Create files in a temporary directory

      • samsam.exe (PID: 1632)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Generic CIL Executable (.NET, Mono, etc.) (63.1)
.exe | Win64 Executable (generic) (23.8)
.dll | Win32 Dynamic Link Library (generic) (5.6)
.exe | Win32 Executable (generic) (3.8)
.exe | Generic Win/DOS Executable (1.7)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2015:12:10 00:43:00+00:00
ImageFileCharacteristics: Executable, 32-bit
PEType: PE32
LinkerVersion: 11
CodeSize: 193536
InitializedDataSize: 2048
UninitializedDataSize: -
EntryPoint: 0x3133e
OSVersion: 4
ImageVersion: -
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x003f
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: Neutral
CharacterSet: Unicode
FileDescription: SAM
FileVersion: 1.0.0.0
InternalName: samsam.exe
LegalCopyright: Copyright © 2015
OriginalFileName: samsam.exe
ProductName: SAM
ProductVersion: 1.0.0.0
AssemblyVersion: 1.0.0.0
No data.
screenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
39
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start samsam.exe wmpnscfg.exe no specs selfdel.exe no specs vssadmin.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1632"C:\Users\admin\AppData\Local\Temp\samsam.exe" C:\Users\admin\AppData\Local\Temp\samsam.exe
explorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
SAM
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\samsam.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
1768"vssadmin" delete shadows /all /quietC:\Windows\System32\vssadmin.exesamsam.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Command Line Interface for Microsoft® Volume Shadow Copy Service
Exit code:
2
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
1836"C:\Program Files\Windows Media Player\wmpnscfg.exe"C:\Program Files\Windows Media Player\wmpnscfg.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Media Player Network Sharing Service Configuration Application
Exit code:
0
Version:
12.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\program files\windows media player\wmpnscfg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
1916"C:\Users\admin\AppData\Local\Temp\selfdel.exe"C:\Users\admin\AppData\Local\Temp\selfdel.exesamsam.exe
User:
admin
Integrity Level:
MEDIUM
Description:
selfdel
Version:
1.0.0.0
Modules
Images
c:\users\admin\appdata\local\temp\selfdel.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\mscoree.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\microsoft.net\framework\v4.0.30319\mscoreei.dll
Total events
137
Read events
137
Write events
0
Delete events
0

Modification events

No data
Executable files
2
Suspicious files
4
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
1632samsam.exeC:\Users\admin\AppData\Local\Temp\selfdel.exeexecutable
MD5:710A45E007502B8F42A27EE05DCD2FBA
SHA256:32445C921079AA3E26A376D70EF6550BAFEB1F6B0B7037EF152553BB5DAD116F
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\AccLR.cab.encryptedRSAgmc
MD5:D2A70550489DE356A2CD6BFC40711204
SHA256:E80232B4D18D0BB7E794BE263BA937626F383F9917D4B8A737BA893A8F752293
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\AccLR.cab.encryptedRSAbinary
MD5:D2A70550489DE356A2CD6BFC40711204
SHA256:E80232B4D18D0BB7E794BE263BA937626F383F9917D4B8A737BA893A8F752293
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\AccLR.cab.encryptedRSAgmc
MD5:D2A70550489DE356A2CD6BFC40711204
SHA256:E80232B4D18D0BB7E794BE263BA937626F383F9917D4B8A737BA893A8F752293
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-0407-0000-0000000FF1CE}-C\HELP_DECRYPT_YOUR_FILES.txttext
MD5:F5511F3A15383CD29752FBD03BF440B0
SHA256:3232140E763E656274E8457DEEF3A8F991D32620E6878685FAD07EEFB2F8E2C4
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-0411-0000-0000000FF1CE}-C\AccLR.cab.encryptedRSAgmc
MD5:D2A70550489DE356A2CD6BFC40711204
SHA256:E80232B4D18D0BB7E794BE263BA937626F383F9917D4B8A737BA893A8F752293
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-0410-0000-0000000FF1CE}-C\HELP_DECRYPT_YOUR_FILES.txttext
MD5:F5511F3A15383CD29752FBD03BF440B0
SHA256:3232140E763E656274E8457DEEF3A8F991D32620E6878685FAD07EEFB2F8E2C4
1632samsam.exeC:\Users\admin\AppData\Local\Temp\del.exeexecutable
MD5:E189B5CE11618BB7880E9B09D53A588F
SHA256:97D27E1225B472A63C88AC9CFB813019B72598B9DD2D70FE93F324F7D034FB95
1632samsam.exeC:\MSOCache\All Users\{90140000-0015-040C-0000-0000000FF1CE}-C\HELP_DECRYPT_YOUR_FILES.txttext
MD5:F5511F3A15383CD29752FBD03BF440B0
SHA256:3232140E763E656274E8457DEEF3A8F991D32620E6878685FAD07EEFB2F8E2C4
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
1108
svchost.exe
224.0.0.252:5355
whitelisted
4
System
192.168.100.255:138
whitelisted

DNS requests

Domain
IP
Reputation
google.com
  • 142.250.185.206
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
samsam