File name:

ImDiskTk-x64.zip

Full analysis: https://app.any.run/tasks/550ff496-65b9-4f18-b65b-7b474ea64513
Verdict: Malicious activity
Analysis date: May 30, 2024, 01:54:39
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

180E502C0D441861F01B532D2072E512

SHA1:

DE4FAE36103625FD0F80355DAA5E83A68D0A16A7

SHA256:

FD5A32B7B6396EC6B23D6743E375B9D0F6C40C4F1FAB166D8E89A870555A4C57

SSDEEP:

24576:42PyENOnaHiadqQ/Wqmd7ULHM6HOg4LOFKLxqK5zA7ds+xiqm0mQweQKKLB4flWc:426ENOaHiadqQ/Wqmd7ULHM6HOg4LOFn

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Starts CMD.EXE for commands execution

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Application launched itself

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Executable content was dropped or overwritten

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)

    • Process drops legitimate windows executable

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Executing commands from a ".bat" file

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)

    • Drops a system driver (possible attempt to evade defenses)

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

  • INFO

    • Manual execution by a user

      • cmd.exe (PID: 4064)
      • cmd.exe (PID: 1616)
      • WinRAR.exe (PID: 2276)
      • WinRAR.exe (PID: 2328)
      • notepad.exe (PID: 2484)

    • Drops the executable file immediately after the start

      • extrac32.exe (PID: 2108)
      • extrac32.exe (PID: 2068)
      • WinRAR.exe (PID: 2328)

    • Create files in a temporary directory

      • extrac32.exe (PID: 2068)
      • extrac32.exe (PID: 2108)

    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2328)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.xpi | Mozilla Firefox browser extension (66.6)
.zip | ZIP compressed archive (33.3)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2024:02:10 15:29:04
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: ImDiskTk20240210/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
57
Monitored processes
10
Malicious processes
3
Suspicious processes
4

Behavior graph

Click at the process to see the details
start winrar.exe no specs cmd.exe no specs cmd.exe no specs extrac32.exe cmd.exe cmd.exe no specs extrac32.exe winrar.exe no specs winrar.exe notepad.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1616"C:\Windows\System32\cmd.exe" /C "C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" C:\Windows\System32\cmd.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
1704cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
2068extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25615.69" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
HIGH
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2108extrac32.exe /e /l "C:\Users\admin\AppData\Local\Temp\ImDisk 25518.37" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Windows\System32\extrac32.exe
cmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft® CAB File Extract Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\extrac32.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.24483_none_2b200f664577e14b\comctl32.dll
2276"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2328"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\ImDiskTk20240210\files.cab" C:\Users\admin\Desktop\ImDiskTk20240210\files\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
2484"C:\Windows\System32\NOTEPAD.EXE" C:\Users\admin\Desktop\ImDiskTk20240210\install.batC:\Windows\System32\notepad.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Notepad
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\notepad.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\user32.dll
3940"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zipC:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Version:
5.91.0
Modules
Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\comdlg32.dll
4064C:\Windows\system32\cmd.exe /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" "C:\Windows\System32\cmd.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
4092cmd /c ""C:\Users\admin\Desktop\ImDiskTk20240210\install.bat" 7 " C:\Windows\System32\cmd.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Exit code:
0
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Modules
Images
c:\windows\system32\cmd.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\winbrand.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\lpk.dll
c:\windows\system32\usp10.dll
Total events
6 802
Read events
6 759
Write events
43
Delete events
0

Modification events

(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtBMP
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\Interface\Themes
Operation:writeName:ShellExtIcon
Value:
(PID) Process:(3940) WinRAR.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:3
Value:
C:\Users\admin\Desktop\phacker.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:2
Value:
C:\Users\admin\Desktop\Win7-KB3191566-x86.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:1
Value:
C:\Users\admin\Desktop\curl-8.5.0_1-win32-mingw.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Operation:writeName:0
Value:
C:\Users\admin\AppData\Local\Temp\ImDiskTk-x64.zip
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:name
Value:
120
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:size
Value:
80
(PID) Process:(3940) WinRAR.exeKey:HKEY_CURRENT_USER\Software\WinRAR\FileList\FileColumnWidths
Operation:writeName:type
Value:
120
Executable files
111
Suspicious files
3
Text files
58
Unknown types
1

Dropped files

PID
Process
Filename
Type
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDiskTk-svc.exeexecutable
MD5:25B48E8DCE57DA93A7E57C78B17B8D79
SHA256:386ABEFA4F9924D98F42F6196459954C72D4C36A3FBAB3686C0E5FB03BE18FBD
3940WinRAR.exeC:\Users\admin\Desktop\ImDiskTk20240210\files.cabcompressed
MD5:D0E88BB4F5F956DDC184F2ABC2B01A26
SHA256:7CCD32EFB59BCC109736FC6BC69374EFB33CEA7C80A1BF0E7AC6C319CF8CFE2D
3940WinRAR.exeC:\Users\admin\Desktop\ImDiskTk20240210\install.battext
MD5:2FD9AD12197839ED71F1B472D8574530
SHA256:7A6C2110BBFB92F88B331CD438BB90208CF8E2D8AC19058D0EA744F6016A06A6
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\MountImg.exeexecutable
MD5:E10E0F66C29BE8B123150789EC44421E
SHA256:CF8D1CD4EE64CC8C6BF0D4AC5EA1B1485EFC18DC6577490EE8CAC1F9C35D2575
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Dmg.dllexecutable
MD5:F66F2F74F411D9A07FA7AED0B8CE5775
SHA256:97DBF6AC3F127C11099368504E357522D1C4CE6F94DE383D365F1FC6F9EF1B75
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DevioNet.dllexecutable
MD5:54BB050CF95571D3EC4AAD0CC9DB2515
SHA256:3D5699E37C931A9F93717F19EBCDDFD0777233D6B08321DB572993A621A06009
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\RamDyn.exeexecutable
MD5:2CB9BC7A586304DA913591BADD7D6921
SHA256:C1ACF0682F3357CDBC12C7584D3B903F24632E0A42309954F173092F970693D1
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Core.dllexecutable
MD5:0E1109BA370B330CCFD343F9D29EFA28
SHA256:D54693FBFBBAF5AC0F8765F9B98FD7F8D7368BB3076C9741E24E9480B71AA1B5
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\DiscUtils\DiscUtils.Streams.dllexecutable
MD5:3D48A8D4C6D7AA26D5E54F156F4A5A29
SHA256:599A24D0CAC9EDDF35B8C3B9CEB993A70DFFECDD962E5EC19C665C356086B4E8
2108extrac32.exeC:\Users\admin\AppData\Local\Temp\ImDisk 25518.37\ImDisk Virtual Disk Driver.lnklnk
MD5:CE2DA510E9CF5C6369BFA0834254D265
SHA256:41F8715F373CCF7E47DA5623F946018DE5F13BD8C5BE09F0D58C73FBA8D606D9
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
4
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
4
System
192.168.100.255:137
whitelisted
224.0.0.252:5355
unknown
1088
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2026 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
ImDiskTk-x64.zip