File name:

ImDiskTk-x64.zip

Full analysis: https://app.any.run/tasks/550ff496-65b9-4f18-b65b-7b474ea64513
Verdict: Malicious activity
Analysis date: May 30, 2024, 01:54:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

180E502C0D441861F01B532D2072E512

SHA1:

DE4FAE36103625FD0F80355DAA5E83A68D0A16A7

SHA256:

FD5A32B7B6396EC6B23D6743E375B9D0F6C40C4F1FAB166D8E89A870555A4C57

SSDEEP:

24576:42PyENOnaHiadqQ/Wqmd7ULHM6HOg4LOFKLxqK5zA7ds+xiqm0mQweQKKLB4flWc:426ENOaHiadqQ/Wqmd7ULHM6HOg4LOFn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Application launched itself

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)

    • Drops a system driver (possible attempt to evade defenses)

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)
      • WinRAR.exe (PID: 2276)
      • WinRAR.exe (PID: 2328)
      • notepad.exe (PID: 2484)

    • Create files in a temporary directory

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)

    • Drops the executable file immediately after the start

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:10 15:29:04
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: ImDiskTk20240210/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs extrac32.exe cmd.exe cmd.exe no specs extrac32.exe winrar.exe no specs winrar.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1704cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2068extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25615.69" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2108extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25518.37" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2328"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab" C:\Users\admin\Desktop\ImDiskTk20240210\files\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2484"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\ImDiskTk20240210\install.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3940"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4064C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4092cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 802
Read events
6 759
Write events
43
Delete events
0

Modification events

(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
111
Suspicious files
3
Text files
58
Unknown types
1

Dropped files

PID
Process
Filename
Type
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDisk-Dlg.exeexecutable
MD5:E9134F0CEA98F09D1AF7607B8DD311F9
SHA256:CBCC13FB387DD8B7353F89018092C3444B84B064C3E49B6BD4D330080088976E
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\config.exeexecutable
MD5:2FF6F1CCF88EB90D5207219E4798EAC3
SHA256:D380518802CCCE5673C030BDE0C2048038AEF76B347950125C38445E58C28511
3940WinRAR.exeC:\Users\admin\Desktop\ImDiskTk20240210\files.cabcompressed
MD5:D0E88BB4F5F956DDC184F2ABC2B01A26
SHA256:7CCD32EFB59BCC109736FC6BC69374EFB33CEA7C80A1BF0E7AC6C319CF8CFE2D
3940WinRAR.exeC:\Users\admin\Desktop\ImDiskTk20240210\install.battext
MD5:2FD9AD12197839ED71F1B472D8574530
SHA256:7A6C2110BBFB92F88B331CD438BB90208CF8E2D8AC19058D0EA744F6016A06A6
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDisk Virtual Disk Driver.lnklnk
MD5:CE2DA510E9CF5C6369BFA0834254D265
SHA256:41F8715F373CCF7E47DA5623F946018DE5F13BD8C5BE09F0D58C73FBA8D606D9
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Vhdx.dllexecutable
MD5:9C6AB287E83DD61C86DCD6AB5CA76CE5
SHA256:B127424A07BA1E13DEFDAA157F6AC1A4FF13CF465DC9716C2D23F24702D14CA2
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Vdi.dllexecutable
MD5:CD5CE1DB4EAA58E6BFA4039BA9528538
SHA256:C600821DC2596D38B2041EAA067EC74E6067D1295DEF947386990A8B49125C95
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Xva.dllexecutable
MD5:83EB033C8FEB0E05736089E747D94F6C
SHA256:7F796A47B22131F7E6B24CBC451355BE159791C16DA03C44163C9DF00C08836D
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtilsDevio.exeexecutable
MD5:050B69D97CC47274BD745C9161DCE039
SHA256:1FA371139DA4A67E47B054DBD23A62891FFC82333225B7EAB40B885E656A71EF
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Vmdk.dllexecutable
MD5:567B729766C0F145E1EC034F9B5BDCF0
SHA256:0B2B93D243EC54F455F3A16C9B0A71ED1A7497FE0F1A7B381A589E6F83CD91FB
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ImDiskTk-x64.zip