analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

taklol.zip

Full analysis: https://app.any.run/tasks/25bf33d4-7bf2-40f5-9bfa-69ebe4b75194
Verdict: Malicious activity
Analysis date: September 30, 2020, 14:32:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MIME: application/zip
File info: Zip archive data, at least v1.0 to extract
MD5:

73A47DDC9A9EB18A72E4B81B3A05BCE2

SHA1:

3860060CEC8974948C91BBFC73F41F477D9230A4

SHA256:

EEAB2E0C590B21C7A4579B7D01E2F2543DB3F3D8B78D648F3C6380857EBF3963

SSDEEP:

98304:fy/yUb7vFeU0auScyLKZvf89PzkWt61/sq35A9+V:fy/yUb7vFeU0aufOKxfiPMsSom

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • SearchProtocolHost.exe (PID: 3844)
      • TakLoL.exe (PID: 1720)
      • pfier.exe (PID: 2808)
      • explorer.exe (PID: 328)
      • ctfmon.exe (PID: 612)
      • Update.exe (PID: 2844)
    • Application was dropped or rewritten from another process

      • TakLoL.exe (PID: 1720)
      • TakLoL.exe (PID: 3336)
      • pfier.exe (PID: 2808)
      • Update.exe (PID: 2844)
      • Update.exe (PID: 2816)
    • Writes to the hosts file

      • TakLoL.exe (PID: 1720)
  • SUSPICIOUS

    • Creates files in the user directory

      • explorer.exe (PID: 328)
    • Executable content was dropped or overwritten

      • WinRAR.exe (PID: 2852)
    • Reads Environment values

      • Update.exe (PID: 2844)
  • INFO

    • Manual execution by user

      • WinRAR.exe (PID: 2852)
      • TakLoL.exe (PID: 3336)
      • TakLoL.exe (PID: 1720)
    • Reads the hosts file

      • TakLoL.exe (PID: 1720)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: TakLoL/
ZipUncompressedSize: -
ZipCompressedSize: -
ZipCRC: 0x00000000
ZipModifyDate: 2020:09:23 18:50:27
ZipCompression: None
ZipBitFlag: -
ZipRequiredVersion: 10
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
48
Monitored processes
10
Malicious processes
6
Suspicious processes
1

Behavior graph

Click at the process to see the details
start winrar.exe no specs winrar.exe searchprotocolhost.exe no specs taklol.exe no specs taklol.exe pfier.exe no specs explorer.exe no specs ctfmon.exe no specs update.exe no specs update.exe

Process information

PID
CMD
Path
Indicators
Parent process
2752"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\admin\Desktop\taklol.zip"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2852"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Desktop\taklol.zip" C:\Users\admin\Desktop\C:\Program Files\WinRAR\WinRAR.exe
explorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
3844"C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe5_ Global\UsGthrCtrlFltPipeMssGthrPipe5 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon" C:\Windows\System32\SearchProtocolHost.exeSearchIndexer.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft Windows Search Protocol Host
Exit code:
0
Version:
7.00.7600.16385 (win7_rtm.090713-1255)
3336"C:\Users\admin\Desktop\TakLoL\TakLoL.exe" C:\Users\admin\Desktop\TakLoL\TakLoL.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TakLoL Apps
Exit code:
3221226540
Version:
1.1.1.0
1720"C:\Users\admin\Desktop\TakLoL\TakLoL.exe" C:\Users\admin\Desktop\TakLoL\TakLoL.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TakLoL Apps
Version:
1.1.1.0
2808"C:\Users\admin\Desktop\TakLoL\libraries\pfier\pfier.exe" C:\Users\admin\Desktop\TakLoL\libraries\pfier\pfier.exeTakLoL.exe
User:
admin
Company:
Initex
Integrity Level:
HIGH
Description:
Proxifier Portable Edition v3.42
Version:
3.42.0.1
328C:\Windows\Explorer.EXEC:\Windows\explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Explorer
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
612C:\Windows\System32\ctfmon.exe C:\Windows\System32\ctfmon.exetaskeng.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
CTF Loader
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2816"C:\Users\admin\Desktop\TakLoL\Update.exe" C:\Users\admin\Desktop\TakLoL\Update.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Description:
TakLoL Updater
Exit code:
3221226540
Version:
1.0.4.0
2844"C:\Users\admin\Desktop\TakLoL\Update.exe" C:\Users\admin\Desktop\TakLoL\Update.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Description:
TakLoL Updater
Exit code:
0
Version:
1.0.4.0
Total events
5 407
Read events
5 232
Write events
0
Delete events
0

Modification events

No data
Executable files
6
Suspicious files
0
Text files
73
Unknown types
3

Dropped files

PID
Process
Filename
Type
2852WinRAR.exeC:\Users\admin\Desktop\TakLoL\libraries\pfier\Settings.initext
MD5:AFC5B6952039B7B68DC051505EF83D5D
SHA256:49E327BF2ED1FEA16CE3463115B1B4348D8CFFF7283BF78CECD5B7F9E8864D9A
2852WinRAR.exeC:\Users\admin\Desktop\TakLoL\Update.exeexecutable
MD5:A8F319DC27F9AAE736B14EADDE175C17
SHA256:3159687665B6487A1238C1A2FB9229986013D509A00D600E8121C8C87976ACC6
1720TakLoL.exeC:\Windows\System32\drivers\etc\hoststext
MD5:722BCDE9CBEC87BE7E58909B2391210B
SHA256:BE35D26A1C476FB4FEBC680C0C031674A9F6E75259E9C4895A7C75416BA425B6
1720TakLoL.exeC:\Users\admin\Desktop\TakLoL\libraries\pfier\Profiles\Default.ppxxml
MD5:E0EDA326DAB2852AED2440B0F238A57E
SHA256:4D24F698AA7ECD1BE270618D6D822E39FC1CFC6AD4DE287C0C3AE94176133099
328explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\290532160612e071.automaticDestinations-msautomaticdestinations-ms
MD5:F8019C33C0764237C4CCF6E1833D4AB3
SHA256:2F438169287CA423617E6A349886AD889E0A8CEB14932A11CA7C3652D4285036
328explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\taklol.zip.lnklnk
MD5:4A00EBECB76AEBA0CEE50D8376EDB483
SHA256:A8EAE0D883E5F979FAA776F072F71C7B7FE6E780362BF86D15E2DB5CFBD51188
1720TakLoL.exeC:\Users\admin\Desktop\TakLoL\LData.cfgtext
MD5:78628EA3AB7EDD2E031FACBCE54BC4D9
SHA256:12C423969E44991D0792192D8A3FD3762C07E7C8518F27FD02A1E15C3DAD5D2C
328explorer.exeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\1b4dd67f29cb1962.automaticDestinations-msautomaticdestinations-ms
MD5:4F11CAD9DA98EB78ACC4D17CEBA9EBBE
SHA256:487691007B057BC39DD29B0C33DDBD00F6E7FAD1A3F7A15BB1EC9E1615F2E16F
2852WinRAR.exeC:\Users\admin\Desktop\TakLoL\TakLoL.exeexecutable
MD5:370B1C975AA0AB38B721B36C481638FA
SHA256:7BC2F4DDF720F9E8EB48F61391AF09BEFE792ED0794519DB6C47BA51E11E1F69
2808pfier.exeC:\Users\admin\Desktop\TakLoL\libraries\pfier\Settings.initext
MD5:133DEE23563C444ABB4FE1FFE804087B
SHA256:B273B70FA310E4C4D079479C5056B7BB2F0721064E83B9997705F5A0F85A7350
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
4
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
1720
TakLoL.exe
POST
200
104.24.113.121:80
http://taklol.ir/update/getlast5
US
text
3.68 Kb
suspicious
1720
TakLoL.exe
POST
200
104.24.112.121:80
http://taklol.taklol.ir/update/getlast5
US
text
3.68 Kb
suspicious
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2844
Update.exe
172.67.146.87:80
taklol.ir
US
suspicious
1720
TakLoL.exe
104.24.112.121:80
taklol.ir
Cloudflare Inc
US
shared
1720
TakLoL.exe
104.24.113.121:80
taklol.ir
Cloudflare Inc
US
shared

DNS requests

Domain
IP
Reputation
taklol.ir
  • 104.24.113.121
  • 104.24.112.121
  • 172.67.146.87
suspicious
taklol.taklol.ir
  • 104.24.112.121
  • 172.67.146.87
  • 104.24.113.121
suspicious
www.google.com
  • 172.217.22.100
whitelisted

Threats

No threats detected
No debug info