| File name: | taxi.exe |
| Full analysis: | https://app.any.run/tasks/7c92a6cf-68a7-4fb5-a82c-6096a0c49433 |
| Verdict: | Malicious activity |
| Analysis date: | March 10, 2024, 10:11:02 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | C5166E71E0A11E20436AC4DE2A0FFC4F |
| SHA1: | 6184AB207DE5A8413D6C29285BF3E7523F3FD103 |
| SHA256: | A0F4F697352A6D4A4EFABEF13DEEB9780E841B6B8F6D5DF38572A3BEF4EAF024 |
| SSDEEP: | 12288:4rV0VzrlLkck/N8rtFCbWW1qMoy6TOWCbTvl5uQ4v9X/g+hjuW/:4Ru+ck/N8r/kWWUUEOWCPl5uQ4W+hju2 |
MALICIOUS
Drops the executable file immediately after the start
- taxi.exe (PID: 3660)
- is-OODE4.tmp (PID: 2852)
SUSPICIOUS
Reads settings of System Certificates
- taxi.exe (PID: 864)
Process drops legitimate windows executable
- is-OODE4.tmp (PID: 2852)
Reads the Windows owner or organization settings
- is-OODE4.tmp (PID: 2852)
Executable content was dropped or overwritten
- taxi.exe (PID: 3660)
- is-OODE4.tmp (PID: 2852)
INFO
Creates files or folders in the user directory
- taxi.exe (PID: 864)
Checks supported languages
- is-OODE4.tmp (PID: 2852)
- taxi.exe (PID: 3660)
- taxi.exe (PID: 864)
Create files in a temporary directory
- taxi.exe (PID: 3660)
- is-OODE4.tmp (PID: 2852)
Reads the computer name
- is-OODE4.tmp (PID: 2852)
- taxi.exe (PID: 864)
Creates files in the program directory
- is-OODE4.tmp (PID: 2852)
Creates a software uninstall entry
- is-OODE4.tmp (PID: 2852)
Reads CPU info
- taxi.exe (PID: 864)
Reads the machine GUID from the registry
- taxi.exe (PID: 864)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable PowerBASIC/Win 9.x (51.2) |
|---|---|---|
| .exe | | | Inno Setup installer (37.9) |
| .exe | | | Win32 Executable Delphi generic (4.9) |
| .dll | | | Win32 Dynamic Link Library (generic) (2.2) |
| .exe | | | Win32 Executable (generic) (1.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 1992:06:19 22:22:17+00:00 |
| ImageFileCharacteristics: | No relocs, Executable, No line numbers, No symbols, Bytes reversed lo, 32-bit, Bytes reversed hi |
| PEType: | PE32 |
| LinkerVersion: | 2.25 |
| CodeSize: | 36864 |
| InitializedDataSize: | 14336 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x98d8 |
| OSVersion: | 1 |
| ImageVersion: | - |
| SubsystemVersion: | 4 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 0.0.0.0 |
| ProductVersionNumber: | 0.0.0.0 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Win32 |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Windows, Latin1 |
| Comments: | This installation was built with Inno Setup: http://www.innosetup.com |
| CompanyName: | Novel Games Limited |
| FileDescription: | Crazy Taxi Setup |
| FileVersion: | |
| LegalCopyright: |
Total processes
44
Monitored processes
4
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 864 | "C:\Program Files\Novel Games\Crazy Taxi\taxi.exe" | C:\Program Files\Novel Games\Crazy Taxi\taxi.exe | is-OODE4.tmp | ||||||||||||
User: admin Company: Novel Games Limited Integrity Level: HIGH Description: Crazy Taxi Exit code: 0 Version: 1.1.0.0 Modules
| |||||||||||||||
| 2852 | "C:\Users\admin\AppData\Local\Temp\is-O2VIJ.tmp\is-OODE4.tmp" /SL4 $F0170 "C:\Users\admin\AppData\Local\Temp\taxi.exe" 83387 52224 | C:\Users\admin\AppData\Local\Temp\is-O2VIJ.tmp\is-OODE4.tmp | taxi.exe | ||||||||||||
User: admin Integrity Level: HIGH Description: Setup/Uninstall Exit code: 0 Version: 51.43.0.0 Modules
| |||||||||||||||
| 3660 | "C:\Users\admin\AppData\Local\Temp\taxi.exe" | C:\Users\admin\AppData\Local\Temp\taxi.exe | explorer.exe | ||||||||||||
User: admin Company: Novel Games Limited Integrity Level: HIGH Description: Crazy Taxi Setup Exit code: 0 Version: Modules
| |||||||||||||||
| 3700 | "C:\Users\admin\AppData\Local\Temp\taxi.exe" | C:\Users\admin\AppData\Local\Temp\taxi.exe | — | explorer.exe | |||||||||||
User: admin Company: Novel Games Limited Integrity Level: MEDIUM Description: Crazy Taxi Setup Exit code: 3221226540 Version: Modules
| |||||||||||||||
Total events
4 477
Read events
4 459
Write events
18
Delete events
0
Modification events
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: Setup Version |
Value: 5.1.8 | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: App Path |
Value: C:\Program Files\Novel Games\Crazy Taxi | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | InstallLocation |
Value: C:\Program Files\Novel Games\Crazy Taxi\ | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: Icon Group |
Value: Novel Games\Crazy Taxi | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: User |
Value: admin | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: Selected Tasks |
Value: desktopicon | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | Inno Setup: Deselected Tasks |
Value: | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | DisplayName |
Value: Crazy Taxi 1.1.0 | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\Novel Games\Crazy Taxi\unins000.exe" | |||
| (PID) Process: | (2852) is-OODE4.tmp | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Crazy Taxi_is1 |
| Operation: | write | Name: | QuietUninstallString |
Value: "C:\Program Files\Novel Games\Crazy Taxi\unins000.exe" /SILENT | |||
Executable files
12
Suspicious files
50
Text files
7
Unknown types
36
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\is-FJMHJ.tmp | executable | |
MD5:CFDD97AD6E77F5830E924B89DA0AF1C5 | SHA256:C285A370D25A226739075B25A5E73ECC00556D75E7D71415FDB38C5FA1349269 | |||
| 2852 | is-OODE4.tmp | C:\Users\admin\AppData\Local\Temp\is-6DBM6.tmp\_isetup\_shfoldr.dll | executable | |
MD5:92DC6EF532FBB4A5C3201469A5B5EB63 | SHA256:9884E9D1B4F8A873CCBD81F8AD0AE257776D2348D027D811A56475E028360D87 | |||
| 2852 | is-OODE4.tmp | C:\Users\admin\AppData\Local\Temp\is-6DBM6.tmp\_isetup\_isdecmp.dll | executable | |
MD5:A813D18268AFFD4763DDE940246DC7E5 | SHA256:E19781AABE466DD8779CB9C8FA41BBB73375447066BB34E876CF388A6ED63C64 | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\unins000.exe | executable | |
MD5:CFDD97AD6E77F5830E924B89DA0AF1C5 | SHA256:C285A370D25A226739075B25A5E73ECC00556D75E7D71415FDB38C5FA1349269 | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\is-7HPDU.tmp | executable | |
MD5:B8FCA2F3D30A7AB24EC9C3679F5C1253 | SHA256:B9730E538DDCAB5FE8716E44626101061D53922F2226D8E0A8CDAA9F377BFEDD | |||
| 3660 | taxi.exe | C:\Users\admin\AppData\Local\Temp\is-O2VIJ.tmp\is-OODE4.tmp | executable | |
MD5:C89187509A7D3D9B1F329A4444BBF830 | SHA256:7AE72FB016CBCB38A57FE12BE10C7956F7BFC8717B2FB23D53165010F903E098 | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\is-42JBH.tmp | image | |
MD5:1507E4E873DA90AE774620AE5735A255 | SHA256:CE20007C7A08499060B06BED3A9D6AFC43AECFE1B085DEAC38DCE4657C5450BC | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\taxi.exe | executable | |
MD5:B8FCA2F3D30A7AB24EC9C3679F5C1253 | SHA256:B9730E538DDCAB5FE8716E44626101061D53922F2226D8E0A8CDAA9F377BFEDD | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\is-4RERS.tmp | executable | |
MD5:C838BD9587B5AC1C814B2CEBAAF7FED1 | SHA256:53F06DBB2EAFBF4C805FBBEA8C91F7D5A6917CA9C2FF5C069D503AFAD604CC1B | |||
| 2852 | is-OODE4.tmp | C:\Program Files\Novel Games\Crazy Taxi\AxInterop.ShockwaveFlashObjects.dll | executable | |
MD5:C838BD9587B5AC1C814B2CEBAAF7FED1 | SHA256:53F06DBB2EAFBF4C805FBBEA8C91F7D5A6917CA9C2FF5C069D503AFAD604CC1B | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
10
DNS requests
3
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
864 | taxi.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
864 | taxi.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
864 | taxi.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
864 | taxi.exe | POST | 200 | 192.229.221.95:80 | http://ocsp.digicert.com/ | unknown | binary | 471 b | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 224.0.0.252:5355 | — | — | — | unknown |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
1080 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
864 | taxi.exe | 69.192.160.136:443 | geo2.adobe.com | AKAMAI-AS | DE | unknown |
864 | taxi.exe | 192.229.221.95:80 | ocsp.digicert.com | EDGECAST | US | whitelisted |
864 | taxi.exe | 104.102.49.111:443 | fpdownload.macromedia.com | AKAMAI-AS | DE | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
geo2.adobe.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
fpdownload.macromedia.com |
| whitelisted |