analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

gSyncit_5_3_21.msi

Full analysis: https://app.any.run/tasks/518b4801-0c5a-4c1b-b4fa-e0f2b1bdd55c
Verdict: Malicious activity
Analysis date: January 11, 2019, 09:41:03
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, MSI Installer, Create Time/Date: Mon Jun 21 08:00:00 1999, Name of Creating Application: Windows Installer, Security: 1, Code page: 1252, Template: Intel;1033, Number of Pages: 200, Revision Number: {75E6C46E-92C1-4768-98EB-98F58D24F125}, Title: gSyncit for Microsoft Outlook, Author: Fieldston Software, Number of Words: 2, Last Saved Time/Date: Wed Jan 9 19:17:04 2019, Last Printed: Wed Jan 9 19:17:04 2019
MD5:

08FAFEE91A1182E1217ABB03BED16F43

SHA1:

FB19B3C6CA81DB4B2228CC15FE7137536EB595F9

SHA256:

0594D14667C3DF494DBA92F4A71E284D8E45BAFF1C8547CC08EFAE6877412FC8

SSDEEP:

196608:UF/lgvM4+47WjFGBvj0HlfPk8sJlmTmjXBRNaMqA4oLq:w/lSMCIsBoFfPkPiTmP8tA

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Changes settings of System certificates

      • msiexec.exe (PID: 3300)
    • Loads dropped or rewritten executable

      • gsyncit.exe (PID: 3492)
      • OUTLOOK.EXE (PID: 3200)
    • Application was dropped or rewritten from another process

      • gsyncit.exe (PID: 3492)
  • SUSPICIOUS

    • Creates COM task schedule object

      • msiexec.exe (PID: 2192)
    • Changes the autorun value in the registry

      • msiexec.exe (PID: 2192)
    • Executable content was dropped or overwritten

      • msiexec.exe (PID: 2192)
    • Reads internet explorer settings

      • OUTLOOK.EXE (PID: 3200)
    • Starts Microsoft Office Application

      • MsiExec.exe (PID: 3948)
    • Creates files in the user directory

      • gsyncit.exe (PID: 3492)
      • OUTLOOK.EXE (PID: 3200)
    • Reads Environment values

      • OUTLOOK.EXE (PID: 3200)
    • Reads Internet Cache Settings

      • OUTLOOK.EXE (PID: 3200)
  • INFO

    • Loads dropped or rewritten executable

      • msiexec.exe (PID: 2192)
      • MsiExec.exe (PID: 2412)
      • MsiExec.exe (PID: 3948)
    • Creates files in the program directory

      • MsiExec.exe (PID: 2412)
      • msiexec.exe (PID: 2192)
    • Application launched itself

      • msiexec.exe (PID: 2192)
    • Searches for installed software

      • msiexec.exe (PID: 2192)
    • Low-level read access rights to disk partition

      • vssvc.exe (PID: 3980)
    • Reads Microsoft Office registry keys

      • gsyncit.exe (PID: 3492)
      • OUTLOOK.EXE (PID: 3200)
    • Creates a software uninstall entry

      • msiexec.exe (PID: 2192)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (90.2)
.msp | Windows Installer Patch (8.4)
.msi | Microsoft Installer (100)

EXIF

FlashPix

LastPrinted: 2019:01:09 19:17:04
ModifyDate: 2019:01:09 19:17:04
Words: 2
Comments: -
Keywords: -
Author: Fieldston Software
Subject: -
Title: gSyncit for Microsoft Outlook
RevisionNumber: {75E6C46E-92C1-4768-98EB-98F58D24F125}
Pages: 200
Template: Intel;1033
CodePage: Windows Latin 1 (Western European)
Security: Password protected
Software: Windows Installer
CreateDate: 1999:06:21 07:00:00
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
43
Monitored processes
9
Malicious processes
4
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe msiexec.exe msiexec.exe no specs vssvc.exe no specs drvinst.exe no specs msiexec.exe no specs msiexec.exe no specs gsyncit.exe outlook.exe

Process information

PID
CMD
Path
Indicators
Parent process
3300"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\Downloads\gSyncit_5_3_21.msi"C:\Windows\System32\msiexec.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2192C:\Windows\system32\msiexec.exe /VC:\Windows\system32\msiexec.exe
services.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3948C:\Windows\system32\MsiExec.exe -Embedding 81F4FC124851856B53DD4D0327D8C052 CC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3980C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2640DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot18" "" "" "6792c44eb" "00000000" "000003A8" "00000540"C:\Windows\system32\DrvInst.exesvchost.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Driver Installation Module
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2092C:\Windows\system32\MsiExec.exe -Embedding D9430351A4B1C733B2A9DC6EF1C9560EC:\Windows\system32\MsiExec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
2412C:\Windows\system32\MsiExec.exe -Embedding 81D6DE2EAAF36FFCC2E722170E05A3B7 M Global\MSI0000C:\Windows\system32\MsiExec.exemsiexec.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
3492"C:\Program Files\Fieldston Software\gSyncit\gsyncit.exe" C:\Program Files\Fieldston Software\gSyncit\gsyncit.exe
MsiExec.exe
User:
admin
Company:
Fieldston Software
Integrity Level:
MEDIUM
Description:
gSyncit
Version:
5.3.21.0
3200"C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE" C:\Program Files\Microsoft Office\Office14\OUTLOOK.EXE
MsiExec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft Outlook
Version:
14.0.6025.1000
Total events
2 023
Read events
1 357
Write events
0
Delete events
0

Modification events

No data
Executable files
57
Suspicious files
7
Text files
95
Unknown types
7

Dropped files

PID
Process
Filename
Type
3300msiexec.exeC:\Users\admin\AppData\Local\Temp\MSID45D.tmp
MD5:
SHA256:
3300msiexec.exeC:\Users\admin\AppData\Local\Temp\MSID529.tmp
MD5:
SHA256:
2192msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
2192msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{6677040d-550d-4230-9e01-934b7aee5b26}_OnDiskSnapshotPropbinary
MD5:52102E3521E369FCA72D0C6185C38A71
SHA256:6C779646DC1F3542547C87449DD5944EC8EFD7DC7964A5B1EA8810E6DECAC621
2640DrvInst.exeC:\Windows\INF\setupapi.ev1binary
MD5:405DCFD6CD4DFB5A35CBCF9A62F996F1
SHA256:D0C972E20CDF3A4B4EDA06E10EBB0182F127E6F4EFCDA1CFB1CF1118042451F4
3948MsiExec.exeC:\Users\admin\AppData\Local\Temp\CFGD519.tmpxml
MD5:20244937356423BD634209FA8D98ED3F
SHA256:F1F95E23D1BEE18AD4E77EFE70F5F36CC5BE2B60688F5E99714F7910869E3C65
2192msiexec.exeC:\Windows\Installer\1a33d3.msi
MD5:
SHA256:
2192msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:52102E3521E369FCA72D0C6185C38A71
SHA256:6C779646DC1F3542547C87449DD5944EC8EFD7DC7964A5B1EA8810E6DECAC621
2640DrvInst.exeC:\Windows\INF\setupapi.dev.logini
MD5:5F5110DB8297940DE0CF692F694D5BC2
SHA256:9D10C637E956B218E24226D09F3D6CD043632F872631A3A25C0979E5B056FB33
2640DrvInst.exeC:\Windows\INF\setupapi.ev3binary
MD5:76DCC60F78B3DFF1AE3627619074F465
SHA256:18541AC1875315C4F9EFF75050C574FAFF83717C029DAE6B366F9C6C3F0C19E0
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
2
TCP/UDP connections
3
DNS requests
3
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3200
OUTLOOK.EXE
GET
64.4.26.155:80
http://config.messenger.msn.com/config/msgrconfig.asmx?op=GetOlcConfig
US
whitelisted
3300
msiexec.exe
GET
200
91.199.212.52:80
http://crt.comodoca.com/COMODORSAAddTrustCA.crt
GB
der
1.37 Kb
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3300
msiexec.exe
91.199.212.52:80
crt.comodoca.com
Comodo CA Ltd
GB
suspicious
3200
OUTLOOK.EXE
69.16.215.76:443
www.fieldstonsoftware.com
Liquid Web, L.L.C
US
unknown
3200
OUTLOOK.EXE
64.4.26.155:80
config.messenger.msn.com
Microsoft Corporation
US
whitelisted

DNS requests

Domain
IP
Reputation
crt.comodoca.com
  • 91.199.212.52
whitelisted
www.fieldstonsoftware.com
  • 69.16.215.76
unknown
config.messenger.msn.com
  • 64.4.26.155
whitelisted

Threats

No threats detected
Process
Message
gsyncit.exe
gSync: [OutlookService::GetOutlookDefaultProfileName]
gsyncit.exe
gSync: GetOutlookDefaultProfileName()
gsyncit.exe
gSync: GetUserSettingPathOverride() => []
gsyncit.exe
gSync: GetUserSettingPathOverride() => []
gsyncit.exe
gSync: GetUserSettingPathOverride() => []
gsyncit.exe
gSync: GetUserSettingPathOverride() => []
gsyncit.exe
gSync:
gsyncit.exe
gSync: Error [File not found.] Exception [ File not found. ] Stack --> at gsyncit.core.UserSettings.Load() in C:\CVSLOCAL\Solutions\gSync_v5.0\src\gsyncit.core\Configuration\UserSettings.cs:line 1209
gsyncit.exe
gSync:
gsyncit.exe
gSync: GetUserSettingPathOverride() => []