File name:

BottomlineSCSigner.msi

Full analysis: https://app.any.run/tasks/bf2ab444-ea93-46c0-b302-0831b9a2f54c
Verdict: Malicious activity
Analysis date: December 19, 2023, 15:00:02
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
generated-doc
Indicators:
MIME: application/x-msi
File info: Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Installer for the Bottomline PT-X SmartCard Plugin plugin, Author: Bottomline Technologies, Keywords: Installer, Comments: This installer database contains the logic and data required to install Bottomline PT-X SmartCard Plugin., Template: Intel;1033, Revision Number: {21F96223-FB11-49D4-9A67-E5E2D7AF0A19}, Create Time/Date: Wed Feb 15 16:52:02 2017, Last Saved Time/Date: Wed Feb 15 16:52:02 2017, Number of Pages: 200, Number of Words: 10, Name of Creating Application: Windows Installer XML Toolset (3.10.3.3007), Security: 2
MD5:

CE28FE65993AB7D222D1FAA297E69FEC

SHA1:

1F8A726D1758D27C734A3F57299D82F18D78A98C

SHA256:

F519B082DBCE24F709A73EAC5900707E017CE37EC5D640742E3C36DBC7181A13

SSDEEP:

98304:xd85T2lka8zuXfOEXUjQ7/GhCfljP/8VVcyN0Q8zAMr4IuLz0uXFUYtfA:EUA2tr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Drops the executable file immediately after the start

      • msiexec.exe (PID: 1404)

  • SUSPICIOUS

    • Executes as Windows Service

      • VSSVC.exe (PID: 2088)

    • Checks Windows Trust Settings

      • msiexec.exe (PID: 1404)

    • The process creates files with name similar to system file names

      • msiexec.exe (PID: 1404)

  • INFO

    • Checks supported languages

      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 1928)

    • Reads the computer name

      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 1928)

    • Application launched itself

      • msiexec.exe (PID: 1404)

    • Reads security settings of Internet Explorer

      • msiexec.exe (PID: 2124)

    • Create files in a temporary directory

      • msiexec.exe (PID: 1404)

    • Reads the machine GUID from the registry

      • msiexec.exe (PID: 1404)
      • msiexec.exe (PID: 1928)

    • Creates files or folders in the user directory

      • msiexec.exe (PID: 1404)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.msi | Microsoft Windows Installer (98.5)
.msi | Microsoft Installer (100)

EXIF

FlashPix

CodePage: Windows Latin 1 (Western European)
Title: Installation Database
Subject: Installer for the Bottomline PT-X SmartCard Plugin plugin
Author: Bottomline Technologies
Keywords: Installer
Comments: This installer database contains the logic and data required to install Bottomline PT-X SmartCard Plugin.
Template: Intel;1033
RevisionNumber: {21F96223-FB11-49D4-9A67-E5E2D7AF0A19}
CreateDate: 2017:02:15 16:52:02
ModifyDate: 2017:02:15 16:52:02
Pages: 200
Words: 10
Software: Windows Installer XML Toolset (3.10.3.3007)
Security: Read-only recommended
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
37
Monitored processes
4
Malicious processes
1
Suspicious processes
0

Behavior graph

Click at the process to see the details
start msiexec.exe no specs msiexec.exe no specs vssvc.exe no specs msiexec.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
1404C:\Windows\system32\msiexec.exe /VC:\Windows\System32\msiexec.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
1928C:\Windows\system32\MsiExec.exe -Embedding DD51D91CD081B738BBA7DE8103AD42A8C:\Windows\System32\msiexec.exemsiexec.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2088C:\Windows\system32\vssvc.exeC:\Windows\System32\VSSVC.exeservices.exe
User:
SYSTEM
Company:
Microsoft Corporation
Integrity Level:
SYSTEM
Description:
Microsoft® Volume Shadow Copy Service
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\vssvc.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
2124"C:\Windows\System32\msiexec.exe" /i "C:\Users\admin\AppData\Local\Temp\BottomlineSCSigner.msi"C:\Windows\System32\msiexec.exeexplorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows® installer
Exit code:
0
Version:
5.0.7600.16385 (win7_rtm.090713-1255)
Modules
Images
c:\windows\system32\msiexec.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\user32.dll
c:\windows\system32\gdi32.dll
Total events
8 599
Read events
8 549
Write events
43
Delete events
7

Modification events

(PID) Process:(2124) msiexec.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\182\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Enter)
Value:
40000000000000009F5A7BD72FB0D90164030000840D0000D5070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Enter)
Value:
40000000000000009F5A7BD72FB0D90164030000840D0000D0070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP
Operation:writeName:LastIndex
Value:
73
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Enter)
Value:
40000000000000008543C5D72FB0D90164030000840D0000D3070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppGatherWriterMetadata (Leave)
Value:
4000000000000000D1ABF1D82FB0D90164030000840D0000D3070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Enter)
Value:
4000000000000000D1ABF1D82FB0D90164030000840D0000D4070000000000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppAddInterestingComponents (Leave)
Value:
4000000000000000475C02D92FB0D90164030000840D0000D4070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SPP
Operation:writeName:SppCreate (Leave)
Value:
4000000000000000E57701DA2FB0D90164030000840D0000D0070000010000000000000000000000000000000000000000000000000000000000000000000000
(PID) Process:(1404) msiexec.exeKey:HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\VSS\Diag\SystemRestore
Operation:writeName:SrCreateRp (Leave)
Value:
4000000000000000E57701DA2FB0D90164030000840D0000D5070000010000000000000000000000000000000000000000000000000000000000000000000000
Executable files
6
Suspicious files
12
Text files
1
Unknown types
0

Dropped files

PID
Process
Filename
Type
1404msiexec.exeC:\System Volume Information\SPP\metadata-2
MD5:
SHA256:
1404msiexec.exeC:\Windows\Installer\MSI1E80.tmpbinary
MD5:0205CBDA12A76D732423F0332253D4AA
SHA256:A07DCDE57DD14A7FA752C2D76E0C978F38478DC7EAB08973773C5087E6D29B34
1404msiexec.exeC:\System Volume Information\SPP\OnlineMetadataCache\{f5eb4250-c5bb-4af2-9921-982bada06f92}_OnDiskSnapshotPropbinary
MD5:DB7A5E0C22F33C0ED76683B2E174CBAA
SHA256:4E4AE066B7663D5A46FB3669A50CFD2D88D43A0A1550DCB4C7C60D3FD8DDFBD6
1404msiexec.exeC:\Windows\Installer\e1c4e.msiexecutable
MD5:CE28FE65993AB7D222D1FAA297E69FEC
SHA256:F519B082DBCE24F709A73EAC5900707E017CE37EC5D640742E3C36DBC7181A13
1404msiexec.exeC:\Windows\Installer\MSI1EA0.tmpexecutable
MD5:EE41EA03D3EF817244DA5DF4DEFAAA1A
SHA256:EE20AF4BB18A71CFEF42FAD6795AE56E6479171B31B46A587F978EA522BBFB70
1404msiexec.exeC:\System Volume Information\SPP\snapshot-2binary
MD5:DB7A5E0C22F33C0ED76683B2E174CBAA
SHA256:4E4AE066B7663D5A46FB3669A50CFD2D88D43A0A1550DCB4C7C60D3FD8DDFBD6
1404msiexec.exeC:\Windows\Installer\e1c51.msiexecutable
MD5:CE28FE65993AB7D222D1FAA297E69FEC
SHA256:F519B082DBCE24F709A73EAC5900707E017CE37EC5D640742E3C36DBC7181A13
1404msiexec.exeC:\Users\admin\AppData\Roaming\Bottomline\Bottomline PT-X SmartCard Plugin\1.2.0.4\com.bottomline.scsignerhost_mozilla.jsonbinary
MD5:A2D52CE72DB17DCE333EA0E34193B064
SHA256:65457BC13C160425134CB23C637EFA32FEDFBEDBC5BA3255C18F2921ECF343CB
1404msiexec.exeC:\Users\admin\AppData\Roaming\Bottomline\Bottomline PT-X SmartCard Plugin\1.2.0.4\SCSignerNativeMessageHost.exeexecutable
MD5:55CBA3C2D318C2A8434B49788109F491
SHA256:4114C59A84065EADA324C43FEFC324967207FCD4CA910567A747210C30FFDB33
1404msiexec.exeC:\Windows\Installer\MSI2029.tmpexecutable
MD5:EE41EA03D3EF817244DA5DF4DEFAAA1A
SHA256:EE20AF4BB18A71CFEF42FAD6795AE56E6479171B31B46A587F978EA522BBFB70
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
5
DNS requests
0
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
4
System
192.168.100.255:138
whitelisted
224.0.0.252:5355
unknown
4
System
192.168.100.255:137
whitelisted
1080
svchost.exe
224.0.0.252:5355
unknown

DNS requests

No data

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
BottomlineSCSigner.msi