File name:

samsung_notes.bat

Full analysis: https://app.any.run/tasks/1472ef2a-dfae-415a-af76-571ec69dbae7
Verdict: Malicious activity
Analysis date: May 18, 2024, 16:12:06
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: text/plain
File info: ASCII text, with very long lines (363), with CRLF line terminators
MD5:

86F37D90024D178FBCD1609F8383B33D

SHA1:

11A37D0D5F951E9341C3216CC4F16C1A42760CFF

SHA256:

993B08E24FFCA38478CEFE91B10CE9D7CD13CA64A74211CF8F4FF9BFB61C0195

SSDEEP:

12:btIdk5jtnrC0yyGyDHx9sM3d2K+89udqQghlaVM1tWtJj:b+otrlyRgx9so2e98UaVM8F

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Create files in the Startup directory

      • cmd.exe (PID: 2044)

  • SUSPICIOUS

    • Reads the Internet Settings

      • cmd.exe (PID: 3976)
      • wscript.exe (PID: 4036)
      • wscript.exe (PID: 2456)
      • cmd.exe (PID: 1980)

    • Starts CMD.EXE for commands execution

      • wscript.exe (PID: 4036)
      • wscript.exe (PID: 2456)

    • Uses REG/REGEDIT.EXE to modify registry

      • cmd.exe (PID: 2044)
      • cmd.exe (PID: 2324)

    • Executing commands from a ".bat" file

      • wscript.exe (PID: 4036)
      • wscript.exe (PID: 2456)

    • The process executes VB scripts

      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 1980)

    • Runs shell command (SCRIPT)

      • wscript.exe (PID: 4036)
      • wscript.exe (PID: 2456)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 1980)
      • notepad.exe (PID: 2372)
      • explorer.exe (PID: 1768)

    • Creates files in the program directory

      • cmd.exe (PID: 2044)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
59
Monitored processes
16
Malicious processes
2
Suspicious processes
3

Behavior graph

Click at the process to see the details
start cmd.exe no specs fsutil.exe no specs wscript.exe no specs cmd.exe fsutil.exe no specs reg.exe no specs reg.exe no specs explorer.exe no specs cmd.exe no specs fsutil.exe no specs wscript.exe no specs cmd.exe fsutil.exe no specs reg.exe no specs reg.exe no specs notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1292reg add "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v SystemProductName /t REG_SZ /d "NP950QDB-KA1US" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1432fsutil dirty query C: C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
fsutil.exe
Exit code:
0
Version:
6.1.7601.17577 (win7sp1_gdr.110310-1504)
Modules
Images
c:\windows\system32\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ole32.dll
1768"C:\Windows\explorer.exe" C:\Windows\explorer.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Exit code:
1
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
1980C:\Windows\system32\cmd.exe /c ""C:\Users\admin\AppData\Local\Temp\samsung_notes.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2044"C:\Windows\System32\cmd.exe" /k cd "C:\Users\admin\AppData\Local\Temp\" && C:\Users\admin\AppData\Local\Temp\SAMSUN~1.BAT C:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2180reg add "HKLM\HARDWARE\DESCRIPTION\System\BIOS" /v SystemManufacturer /t REG_SZ /d "Samsung" /fC:\Windows\System32\reg.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Registry Console Tool
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\reg.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2324"C:\Windows\System32\cmd.exe" /k cd "C:\Users\admin\AppData\Local\Temp\" && C:\Users\admin\AppData\Local\Temp\SAMSUN~1.BAT C:\Windows\System32\cmd.exe
wscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2340fsutil dirty query C: C:\Windows\System32\fsutil.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
fsutil.exe
Exit code:
1
Version:
6.1.7601.17577 (win7sp1_gdr.110310-1504)
Modules
Images
c:\windows\system32\fsutil.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\ktmw32.dll
c:\windows\system32\ole32.dll
2372"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\AppData\Local\Temp\samsung_notes.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
2456"C:\Windows\System32\WScript.exe" "C:\Users\admin\AppData\Local\Temp\getadmin.vbs" C:\Windows\System32\wscript.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
Modules
Images
c:\windows\system32\wscript.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
7 090
Read events
7 054
Write events
36
Delete events
0

Modification events

(PID) Process:(3976) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(3976) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(3976) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(3976) cmd.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(4036) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
(PID) Process:(4036) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:IntranetName
Value:
1
(PID) Process:(4036) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
1
(PID) Process:(4036) wscript.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:AutoDetect
Value:
0
(PID) Process:(1292) reg.exeKey:HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Operation:writeName:SystemProductName
Value:
NP950QDB-KA1US
(PID) Process:(2180) reg.exeKey:HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\BIOS
Operation:writeName:SystemManufacturer
Value:
Samsung
Executable files
0
Suspicious files
0
Text files
3
Unknown types
0

Dropped files

PID
Process
Filename
Type
2044cmd.exeC:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\samsung_notes.battext
MD5:86F37D90024D178FBCD1609F8383B33D
SHA256:993B08E24FFCA38478CEFE91B10CE9D7CD13CA64A74211CF8F4FF9BFB61C0195
1980cmd.exeC:\Users\admin\AppData\Local\Temp\getadmin.vbstext
MD5:C3F9FE9125C2F98CAAEFF017055088CA
SHA256:A7645AB349B137C711D2033625E93FECF55B9215A7DE01C94D09738E66B6ACA6
3976cmd.exeC:\Users\admin\AppData\Local\Temp\getadmin.vbstext
MD5:C3F9FE9125C2F98CAAEFF017055088CA
SHA256:A7645AB349B137C711D2033625E93FECF55B9215A7DE01C94D09738E66B6ACA6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:138
whitelisted
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
samsung_notes.bat