ef06918e95921ffb5d2736c408fa329e142323f9c3337342b271654727e02608

Analysis

max time kernel
23s
max time network
138s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
21-02-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

InputMapper1.7.7452.13622.exe
Size

72.2MB
MD5

1b166e39787476748358cca460fe4225
SHA1

b6ec60ab8ae6f5023c7f5696472eb30758022969
SHA256

ef06918e95921ffb5d2736c408fa329e142323f9c3337342b271654727e02608
SHA512

5b19b1af07fe142140cce951b703f67462cdcdec790d927c0167ab21c6043ece7f4b7a815db0862a6fa1805d2b9df2e04d5cf7d9b1831f36a108e19123a277ab
SSDEEP

1572864:2ccOiR2BpHHvjYvFkqv5Bm+H23T6XE5ywWXgmp2ZFUgiDB:QIP7Y2qrrcmXpD

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 9 IoCs

pid	Process
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe
2152	MsiExec.exe

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	2152	MsiExec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\L:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\T:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\P:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\R:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\S:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\N:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\U:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\Q:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\W:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\Y:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\J:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\V:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\I:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\M:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\X:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\Z:	InputMapper1.7.7452.13622.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	688	msiexec.exe
Token: SeCreateTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeAssignPrimaryTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeLockMemoryPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeIncreaseQuotaPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeMachineAccountPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeTcbPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSecurityPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeTakeOwnershipPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeLoadDriverPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemProfilePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemtimePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeProfSingleProcessPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeIncBasePriorityPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreatePagefilePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreatePermanentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeBackupPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeRestorePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeShutdownPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeDebugPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeAuditPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemEnvironmentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeChangeNotifyPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeRemoteShutdownPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeUndockPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSyncAgentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeEnableDelegationPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeManageVolumePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeImpersonatePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreateGlobalPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreateTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeAssignPrimaryTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeLockMemoryPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeIncreaseQuotaPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeMachineAccountPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeTcbPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSecurityPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeTakeOwnershipPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeLoadDriverPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemProfilePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemtimePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeProfSingleProcessPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeIncBasePriorityPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreatePagefilePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreatePermanentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeBackupPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeRestorePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeShutdownPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeDebugPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeAuditPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSystemEnvironmentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeChangeNotifyPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeRemoteShutdownPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeUndockPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeSyncAgentPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeEnableDelegationPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeManageVolumePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeImpersonatePrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreateGlobalPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeCreateTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeAssignPrimaryTokenPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeLockMemoryPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeIncreaseQuotaPrivilege	948	InputMapper1.7.7452.13622.exe
Token: SeMachineAccountPrivilege	948	InputMapper1.7.7452.13622.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
948	InputMapper1.7.7452.13622.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 688 wrote to memory of 2152	688	msiexec.exe	80
PID 688 wrote to memory of 2152	688	msiexec.exe	80
PID 688 wrote to memory of 2152	688	msiexec.exe	80

C:\Users\Admin\AppData\Local\Temp\InputMapper1.7.7452.13622.exe
"C:\Users\Admin\AppData\Local\Temp\InputMapper1.7.7452.13622.exe"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:948

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:688
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding BDBAE698BE20F20B2047ED30106A56DD C
  2⤵
  - Loads dropped DLL
  - Blocklisted process makes network request
  PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_948\dialog

Filesize
8KB

MD5
aed83f8acb77f7e74559340e18d4495c

SHA1
16e1d450003200441754d98c8dd2ca438ce79fbb

SHA256
26e2588a77ff89d5fc928ad24467bc8d1e6cff173cc0be348ca9e0299dac94bc

SHA512
35d10946f025270833376408a14bec8b6366b441b2701df45d0427e28f59705b199e43e3e4d21304969eeeabe22f9e4fa32a776944d03b157dd5633aaa7e5e27

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA190.tmp

Filesize
243KB

MD5
aaab8d3f7e9e8f143a17a0d15a1d1715

SHA1
8aca4e362e4cdc68c2f8f8f35f200126716f9c74

SHA256
fd3d6c50c3524063f7c28f815838e0fb06fd4ebff094e7b88902334abd463889

SHA512
1999224f57cd453d5d4d7d678144e0b719290ae925bb3574ce28ae787dc406a6b3df8e44475b12b9cdc0ff43d2979f626f08291304c66cdca536cd1897715c9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA24D.tmp

Filesize
375KB

MD5
df4115323d835ee32473baab7ef00237

SHA1
d10e72ba6f7618f7ac81c59316344530ed82452c

SHA256
442d30febf08c0214bad64111b9b6cc4d03bfc0ee7e4a84542eb5aeda7982964

SHA512
a7a42f2ad76268803edf67ca80d5c772844d4633876065ec56c92e1a45dcc09a23203f37b0bb9b7442863d1177e2bad3f8605659685998162d65ba8f73f79f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAAF2.tmp

Filesize
380KB

MD5
3eb31b9a689d506f3b1d3738d28ab640

SHA1
1681fe3bbdcbe617a034b092ea77249dd4c3e986

SHA256
3a7d9cdd6be9ce0e4d01e9894242b497536336bf1850fb0a814a369c8a189c46

SHA512
2598e39f4fd139775bbb040218af802db722d4dca99a4230edfde282362b433c5e30c15d5385063aa76bff916031b0e43586ef05d2ada4edc3c1410371b98e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E42A4987-1F86-4E8F-A708-60CAAC1E3DA7}\InputMapper.msi

Filesize
2.7MB

MD5
746c406ff66f181a440bb86f1b024cf0

SHA1
2fe4fc5a260a8dcf56f8b6e28622264b15a09b76

SHA256
5e03173af43676fd0b8eee7d55fce39bbbcc32dd63518dfdb82b0529ac51b2b8

SHA512
83947ba3bbcbf41cd6955ed9cdda6414890f1fe59f622b13498f3ceb4c567c428cb74dd02bb9d16fcf62e1111441d176bbeaaeb3d793c0d84681dfd8d0de8e15

Download Submit