analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

files.cab

Full analysis: https://app.any.run/tasks/2a3fd1fd-7c1e-4278-bb72-a310015364f3
Verdict: Malicious activity
Analysis date: November 29, 2020, 10:51:11
OS: Windows 7 Professional Service Pack 1 (build: 7601, 64 bit)
Indicators:
MIME: application/vnd.ms-cab-compressed
File info: Microsoft Cabinet archive data, 473611 bytes, 42 files
MD5:

87FB33B0283C6D949B7F0EA16037B324

SHA1:

175FD2D0F8140DBDF6F72E588B60EDBC09188BD8

SHA256:

C63876DD54C912A87450EE3344B215793794CB9AB1EDA264C7774A700BEAD70D

SSDEEP:

12288:JY69daSc4mGtteR0S84o2d1cuVRYR7gv23oW:KSNtsR+p2suc6vbW

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Application was dropped or rewritten from another process

      • MountImg.exe (PID: 1448)
      • ImDisk-Dlg.exe (PID: 2448)
      • MountImg.exe (PID: 1396)
      • ImDisk-Dlg.exe (PID: 2312)

  • SUSPICIOUS

    • Drops a file with a compile date too recent

      • WinRAR.exe (PID: 1608)

    • Drops a file that was compiled in debug mode

      • WinRAR.exe (PID: 1608)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 1608)

    • Drops a file with too old compile date

      • WinRAR.exe (PID: 1608)

    • Application launched itself

      • MountImg.exe (PID: 1448)

  • INFO

    • Manual execution by user

      • cmd.exe (PID: 1412)
      • MountImg.exe (PID: 1448)
      • ImDisk-Dlg.exe (PID: 2448)
      • ImDisk-Dlg.exe (PID: 2312)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.cab | Microsoft Cabinet Archive (100)
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
6
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start winrar.exe cmd.exe no specs mountimg.exe no specs mountimg.exe imdisk-dlg.exe no specs imdisk-dlg.exe

Process information

PID
CMD
Path
Indicators
Parent process
1608"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\AppData\Local\Temp\files.cab"C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.60.0
1412"C:\Windows\system32\cmd.exe" C:\Windows\system32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1448"C:\Users\admin\Desktop\MountImg.exe" C:\Users\admin\Desktop\MountImg.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
Mount new virtual disk
Exit code:
0
1396"C:\Users\admin\Desktop\MountImg.exe" /UAC 4 "C:\Users\admin\Desktop\MountImg.exe" C:\Users\admin\Desktop\MountImg.exe
MountImg.exe
User:
admin
Integrity Level:
HIGH
Description:
Mount new virtual disk
Exit code:
0
2448"C:\Users\admin\Desktop\ImDisk-Dlg.exe" C:\Users\admin\Desktop\ImDisk-Dlg.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
ImDisk
Exit code:
3221226540
2312"C:\Users\admin\Desktop\ImDisk-Dlg.exe" C:\Users\admin\Desktop\ImDisk-Dlg.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
ImDisk
Exit code:
1
Total events
612
Read events
588
Write events
24
Delete events
0

Modification events

(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(1608) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\13B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\files.cab
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:mtime
Value:
100
(PID) Process:(1608) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Operation:writeName:0
Value:
C:\Users\admin\Desktop
(PID) Process:(1448) MountImg.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:ProxyBypass
Value:
1
Executable files
26
Suspicious files
0
Text files
14
Unknown types
2

Dropped files

PID
Process
Filename
Type
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Core.dllexecutable
MD5:813B770B73E9505B3EA3EB6D7D6CA7CF
SHA256:3A99CC01DF1D29707FEB851865E9C71374CB889130D1849599E0E90F9FCFA9AF
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Vhd.dllexecutable
MD5:F9760CEBAA347078DB0B7AED6DC7FA87
SHA256:DB7C1E2CB7A2EA47AEF69425850464FAD452BDF45F49AEA406F79BE14C596E40
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Vmdk.dllexecutable
MD5:1F7B5B9A40B4491B9444BAE6B9FF71CF
SHA256:5DA8D175424DD3C02777DD50AB68BFB9792F30FF507D141EA298814F18B36CB3
1608WinRAR.exeC:\Users\admin\Desktop\DevioNet.dllexecutable
MD5:CCAF972C81EE77B07FBDAC457AFCF690
SHA256:501ADF028D9FA8CD874BB5B980358ADD57481D3BF547E68900E10EB10F37F80E
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Streams.dllexecutable
MD5:E9B48528E79CC66F90A632CD8045B087
SHA256:825F3939189EF0B432932328A58A77ABF3C3260D249087ED82ADC239A53521ED
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtilsDevio.exeexecutable
MD5:CE8CC14DCBD1424CC49DCEE1A20097DE
SHA256:9C380B67361EA80801DD47411F401B3EF9D56C75E2066FC60FBE9FB5662CB634
1608WinRAR.exeC:\Users\admin\Desktop\MountImg.exeexecutable
MD5:EFF14343FD898429EC7257E268D3A920
SHA256:6BD7E8E7A87352202E0DCCE96833F8979F1EF792C048570022BA9BF7DFE44DA8
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Vdi.dllexecutable
MD5:5293E35B1F9F564CBF1516B3238A02D5
SHA256:CFDF9420BEBD575B62F8F6ED303B0ADC46C012EF30537DCF02279A979149DC5B
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Dmg.dllexecutable
MD5:5A0B891A67A4842629085E31290E82A4
SHA256:7AA3EA9630EB6B6E6008F810D4D6C4478E8146C0AF11180855CC1B81CE26437E
1608WinRAR.exeC:\Users\admin\Desktop\DiscUtils.Vhdx.dllexecutable
MD5:9FB3E1FC3999BB0B8949770F06BF8AEE
SHA256:F7AF7F93345B800C8C037200882CD6A926BB7BEB47423BB64A3104786B8D40B8
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
0
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

No data

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
files.cab