File name:

ImDiskTk-x64.zip

Full analysis: https://app.any.run/tasks/550ff496-65b9-4f18-b65b-7b474ea64513
Verdict: Malicious activity
Analysis date: May 30, 2024, 01:54:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

180E502C0D441861F01B532D2072E512

SHA1:

DE4FAE36103625FD0F80355DAA5E83A68D0A16A7

SHA256:

FD5A32B7B6396EC6B23D6743E375B9D0F6C40C4F1FAB166D8E89A870555A4C57

SSDEEP:

24576:42PyENOnaHiadqQ/Wqmd7ULHM6HOg4LOFKLxqK5zA7ds+xiqm0mQweQKKLB4flWc:426ENOaHiadqQ/Wqmd7ULHM6HOg4LOFn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Application launched itself

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Drops a system driver (possible attempt to evade defenses)

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)
      • WinRAR.exe (PID: 2276)
      • WinRAR.exe (PID: 2328)
      • notepad.exe (PID: 2484)

    • Create files in a temporary directory

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)

    • Drops the executable file immediately after the start

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:10 15:29:04
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: ImDiskTk20240210/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs extrac32.exe cmd.exe cmd.exe no specs extrac32.exe winrar.exe no specs winrar.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1704cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2068extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25615.69" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2108extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25518.37" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2328"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab" C:\Users\admin\Desktop\ImDiskTk20240210\files\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2484"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\ImDiskTk20240210\install.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3940"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4064C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4092cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 802
Read events
6 759
Write events
43
Delete events
0

Modification events

(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
111
Suspicious files
3
Text files
58
Unknown types
1

Dropped files

PID
Process
Filename
Type
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtilsDevio.exeexecutable
MD5:050B69D97CC47274BD745C9161DCE039
SHA256:1FA371139DA4A67E47B054DBD23A62891FFC82333225B7EAB40B885E656A71EF
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\config.exeexecutable
MD5:2FF6F1CCF88EB90D5207219E4798EAC3
SHA256:D380518802CCCE5673C030BDE0C2048038AEF76B347950125C38445E58C28511
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DevioNet.dllexecutable
MD5:54BB050CF95571D3EC4AAD0CC9DB2515
SHA256:3D5699E37C931A9F93717F19EBCDDFD0777233D6B08321DB572993A621A06009
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtilsDevio.exe.configxml
MD5:2A2DF45A07478A1C77D5834C21F3D7FD
SHA256:051099983B896673909E01A1F631B6652ABB88DA95C9F06F3EFEF4BE033091FA
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDisk Virtual Disk Driver.lnklnk
MD5:CE2DA510E9CF5C6369BFA0834254D265
SHA256:41F8715F373CCF7E47DA5623F946018DE5F13BD8C5BE09F0D58C73FBA8D606D9
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDisk-Dlg.exeexecutable
MD5:E9134F0CEA98F09D1AF7607B8DD311F9
SHA256:CBCC13FB387DD8B7353F89018092C3444B84B064C3E49B6BD4D330080088976E
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Xva.dllexecutable
MD5:83EB033C8FEB0E05736089E747D94F6C
SHA256:7F796A47B22131F7E6B24CBC451355BE159791C16DA03C44163C9DF00C08836D
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\RamDyn.exeexecutable
MD5:2CB9BC7A586304DA913591BADD7D6921
SHA256:C1ACF0682F3357CDBC12C7584D3B903F24632E0A42309954F173092F970693D1
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\RamDiskUI.exeexecutable
MD5:1536019DCE9B06710BB3E49E455EA120
SHA256:2EEB63FA39A86210A3024874F9FE4D71F8B8C2FA42EF2DDFF027760D07258FE6
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Core.dllexecutable
MD5:0E1109BA370B330CCFD343F9D29EFA28
SHA256:D54693FBFBBAF5AC0F8765F9B98FD7F8D7368BB3076C9741E24E9480B71AA1B5
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
unknown
4
System
192.168.100.255:137
unknown
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
ImDiskTk-x64.zip