| File name: | setup.msi |
| Full analysis: | https://app.any.run/tasks/8666d9bb-b44f-4e56-82aa-b0b61873a9f6 |
| Verdict: | Malicious activity |
| Threats: | Adware is a form of malware that targets users with unwanted advertisements, often disrupting their browsing experience. It typically infiltrates systems through software bundling, malicious websites, or deceptive downloads. Once installed, it may track user activity, collect sensitive data, and display intrusive ads, including pop-ups or banners. Some advanced adware variants can bypass security measures and establish persistence on devices, making removal challenging. Additionally, adware can create vulnerabilities that other malware can exploit, posing a significant risk to user privacy and system security. |
| Analysis date: | May 02, 2024, 12:17:41 |
| OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
| Tags: | |
| Indicators: | |
| MIME: | application/x-msi |
| File info: | Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Security: 0, Code page: 1252, Revision Number: {7E46F1E8-9B29-4A93-A1B8-7A776E9F3FBD}, Number of Words: 2, Subject: Ai Summarizer, Author: NEXITEK LTD, Name of Creating Application: Ai Summarizer, Template: ;1033, Comments: This installer database contains the logic and data required to install Ai Summarizer., Title: Installation Database, Keywords: Installer, MSI, Database, Create Time/Date: Sun Mar 31 17:17:10 2024, Last Saved Time/Date: Sun Mar 31 17:17:10 2024, Last Printed: Sun Mar 31 17:17:10 2024, Number of Pages: 450 |
| MD5: | 0B5C99ABB6F3AA3C49A0E5BF9E3602F6 |
| SHA1: | AB6291C5521A6A7490F18A160C375BBCE3F7E09C |
| SHA256: | 93BE55A715BDE8B8912D2CDC9674045933B8A7DB10903E8AC187775EEAC0CA79 |
| SSDEEP: | 98304:i9ILosSpkNN/2WGYqr0V5RZlTvJ9jwW8wQ8KI6HoW: |
MALICIOUS
The DLL Hijacking
- msiexec.exe (PID: 1036)
Drops the executable file immediately after the start
- msiexec.exe (PID: 4028)
SUSPICIOUS
Checks Windows Trust Settings
- msiexec.exe (PID: 4028)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 4028)
Checks for Java to be installed
- msiexec.exe (PID: 1036)
Reads the Internet Settings
- msiexec.exe (PID: 1036)
Reads security settings of Internet Explorer
- msiexec.exe (PID: 1036)
INFO
Reads security settings of Internet Explorer
- msiexec.exe (PID: 3980)
Checks supported languages
- msiexec.exe (PID: 4028)
- wmpnscfg.exe (PID: 588)
- msiexec.exe (PID: 1036)
Reads the computer name
- msiexec.exe (PID: 4028)
- wmpnscfg.exe (PID: 588)
- msiexec.exe (PID: 1036)
An automatically generated document
- msiexec.exe (PID: 3980)
Reads the software policy settings
- msiexec.exe (PID: 3980)
- msiexec.exe (PID: 4028)
Reads the machine GUID from the registry
- msiexec.exe (PID: 4028)
- msiexec.exe (PID: 1036)
Executable content was dropped or overwritten
- msiexec.exe (PID: 4028)
Reads Microsoft Office registry keys
- msiexec.exe (PID: 1036)
Creates files or folders in the user directory
- msiexec.exe (PID: 1036)
Process checks Powershell version
- msiexec.exe (PID: 1036)
Checks proxy server information
- msiexec.exe (PID: 1036)
Manual execution by a user
- wmpnscfg.exe (PID: 588)
Creates a software uninstall entry
- msiexec.exe (PID: 4028)
Create files in a temporary directory
- msiexec.exe (PID: 4028)
Application launched itself
- msiexec.exe (PID: 4028)
Reads Environment values
- msiexec.exe (PID: 1036)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .msi | | | Microsoft Windows Installer (88.6) |
|---|---|---|
| .mst | | | Windows SDK Setup Transform Script (10) |
| .msi | | | Microsoft Installer (100) |
EXIF
FlashPix
| Security: | None |
|---|---|
| CodePage: | Windows Latin 1 (Western European) |
| RevisionNumber: | {7E46F1E8-9B29-4A93-A1B8-7A776E9F3FBD} |
| Words: | 2 |
| Subject: | Ai Summarizer |
| Author: | NEXITEK LTD |
| LastModifiedBy: | - |
| Software: | Ai Summarizer |
| Template: | ;1033 |
| Comments: | This installer database contains the logic and data required to install Ai Summarizer. |
| Title: | Installation Database |
| Keywords: | Installer, MSI, Database |
| CreateDate: | 2024:04:30 17:17:10 |
| ModifyDate: | 2024:04:30 17:17:10 |
| LastPrinted: | 2024:04:30 17:17:10 |
| Pages: | 450 |
Total processes
38
Monitored processes
4
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 588 | "C:\Program Files\Windows Media Player\wmpnscfg.exe" | C:\Program Files\Windows Media Player\wmpnscfg.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Media Player Network Sharing Service Configuration Application Exit code: 0 Version: 12.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 1036 | C:\Windows\system32\MsiExec.exe -Embedding 5243C0DE38DFA051F827D9DCDCD012C7 | C:\Windows\System32\msiexec.exe | msiexec.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 3980 | "C:\Windows\System32\msiexec.exe" /i C:\Users\admin\AppData\Local\Temp\setup.msi | C:\Windows\System32\msiexec.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows® installer Exit code: 0 Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
| 4028 | C:\Windows\system32\msiexec.exe /V | C:\Windows\System32\msiexec.exe | services.exe | ||||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Windows® installer Version: 5.0.7600.16385 (win7_rtm.090713-1255) Modules
| |||||||||||||||
Total events
10 596
Read events
10 399
Write events
179
Delete events
18
Modification events
| (PID) Process: | (3980) msiexec.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000_CLASSES\Local Settings\MuiCache\182\52C64B7E |
| Operation: | write | Name: | LanguageList |
Value: en-US | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Owner |
Value: BC0F000008E94EC18A9CDA01 | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | SessionHash |
Value: F58803A89D797EC0A03BDDFB01E4046243CAF10223E6F5B29D43C9CFA7F92BD1 | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_USERS\S-1-5-21-1302019708-1500728564-335382590-1000\Software\Microsoft\RestartManager\Session0000 |
| Operation: | write | Name: | Sequence |
Value: 1 | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders |
| Operation: | write | Name: | C:\Config.Msi\ |
Value: | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\1038c8.rbs |
Value: 31104147 | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Rollback\Scripts |
| Operation: | write | Name: | C:\Config.Msi\1038c8.rbsLow |
Value: 618463488 | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\037C6B305F0DAAE4F9BAF82D414CA821 |
| Operation: | write | Name: | 8AC080072DCA20A47B60923ADC2160B3 |
Value: C:\Program Files\NEXITEK LTD\Ai Summarizer\ | |||
| (PID) Process: | (4028) msiexec.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\037C6B305F0DAAE4F9BAF82D414CA821 |
| Operation: | write | Name: | 00000000000000000000000000000000 |
Value: C:\Program Files\NEXITEK LTD\Ai Summarizer\ | |||
Executable files
13
Suspicious files
5
Text files
2
Unknown types
2
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 4028 | msiexec.exe | C:\Windows\Installer\MSI3E15.tmp | executable | |
MD5:8D84543F774C6B280B32B24265E272E8 | SHA256:32B60176177D943DF28F931828717F4B52B1434B8C0CD3CA8CC8A424B016B092 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI3D88.tmp | executable | |
MD5:C6B7F525BEBDCE408CAE137E6C82FA4C | SHA256:E0EA63E00F640C74DDD0B51A46D4D0601ACDEBDC8B97957FED727F332A96DC90 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI3E65.tmp | executable | |
MD5:9AC5DA40BE505273F6F1B48CE6D159BE | SHA256:6547BAC5E0F08595325B769A6605A6C27B1EB2620A31DC9ECC4185B64882E837 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI41B5.tmp | executable | |
MD5:8D84543F774C6B280B32B24265E272E8 | SHA256:32B60176177D943DF28F931828717F4B52B1434B8C0CD3CA8CC8A424B016B092 | |||
| 1036 | msiexec.exe | C:\Users\admin\AppData\Local\AdvinstAnalytics\65b2e2115bc9fc7472607c90\1.0.0\{BD3EFF59-6AA5-4B8F-BBC3-1B74700CCB85}.session | text | |
MD5:3325F4098E84F545B57F2DAD75DDEC25 | SHA256:46DF87F4E7C8D5EF25BC74F9DAA14219EC27DE916CFA50D21A3DCBD67161D544 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI409A.tmp | executable | |
MD5:C6B7F525BEBDCE408CAE137E6C82FA4C | SHA256:E0EA63E00F640C74DDD0B51A46D4D0601ACDEBDC8B97957FED727F332A96DC90 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI4310.tmp | binary | |
MD5:7247581A5AC4D93AE84855731F476D1C | SHA256:EB444419F4E698ED49F15ED50BFBC48F246469F77F5FFCD49AEB25FAA7B32B81 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI406A.tmp | executable | |
MD5:C6B7F525BEBDCE408CAE137E6C82FA4C | SHA256:E0EA63E00F640C74DDD0B51A46D4D0601ACDEBDC8B97957FED727F332A96DC90 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\MSI4128.tmp | executable | |
MD5:8D84543F774C6B280B32B24265E272E8 | SHA256:32B60176177D943DF28F931828717F4B52B1434B8C0CD3CA8CC8A424B016B092 | |||
| 4028 | msiexec.exe | C:\Windows\Installer\1038c7.ipi | binary | |
MD5:86D5FAF9BEA214F613D2FE25B84B2F28 | SHA256:01547B3B1EB6439D52EAF0092C0BE3496277A566B8753BCE6D6B3A3C4F58C31E | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
5
DNS requests
1
Threats
3
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1036 | msiexec.exe | POST | — | 54.211.30.217:80 | http://collect.installeranalytics.com/ | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 224.0.0.252:5355 | — | — | — | unknown |
1088 | svchost.exe | 224.0.0.252:5355 | — | — | — | unknown |
1036 | msiexec.exe | 54.211.30.217:80 | collect.installeranalytics.com | AMAZON-AES | US | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
collect.installeranalytics.com |
| unknown |
Threats
3 ETPRO signatures available at the full report