Resubmissions
09-05-2024 14:33
240509-rxayrsee7v 809-05-2024 13:32
240509-qs211sca4z 809-05-2024 13:30
240509-qr7j4sbh9s 709-05-2024 13:07
240509-qc3bvaba7v 8Analysis
-
max time kernel
35s -
max time network
38s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
09-05-2024 13:07
Static task
static1
Behavioral task
behavioral1
Sample
innosetup-6.2.2 (1).exe
Resource
win10v2004-20240426-en
General
-
Target
innosetup-6.2.2 (1).exe
-
Size
4.5MB
-
MD5
2893b10c36fddb20a38e9b8b9a44d647
-
SHA1
9ab6a2f797d5efc3c5c3985d48fc63c6a111f643
-
SHA256
8117d10d00a2ad33a1390978ea3872861c330e087914410a6377b22c4c5b8563
-
SHA512
496375b1ce9c0d2f8eb3930ebd8366f5c4c938bc1eda47aed415e3f02bd8651a84a770a15f2825bf3c8ed9dbefa355b9eb805dd76bc782f6d8c8096d80443099
-
SSDEEP
98304:6kLsYMYXKk7jmHED1W+Q6zBcLOYCwOo5mympFVWkj6Z:VsoJ7SHElRcLFEo5yhWkj6Z
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
innosetup-6.2.2 (1).tmpCompil32.exeCompil32.exepid process 3988 innosetup-6.2.2 (1).tmp 1232 Compil32.exe 4960 Compil32.exe -
Loads dropped DLL 6 IoCs
Processes:
Compil32.exeCompil32.exepid process 1232 Compil32.exe 1232 Compil32.exe 1232 Compil32.exe 4960 Compil32.exe 4960 Compil32.exe 4960 Compil32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
innosetup-6.2.2 (1).tmpdescription ioc process File opened for modification C:\Program Files (x86)\Inno Setup 6\ISCmplr.dll innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\islzma.dll innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-6GL5A.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-DO48R.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isunzlib.dll innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-4SKOS.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-BGC69.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-HRIKP.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-48TDE.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-NE5M2.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-5ORLT.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-9M0O8.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-D8095.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-GSV74.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isscint.dll innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\iszlib.dll innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg-ARM64.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-L0Q8H.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-9C2CI.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-U7G7C.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-7NAIS.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-43587.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-2MD93.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-B24KU.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Compil32.exe innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-EPMJU.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISCC.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-C483K.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-DVFT1.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-VSK52.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-J8OET.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-E429P.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isfaq.url innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\unins000.dat innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-SR5S1.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-QRI58.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-TKR7P.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-A8F0E.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-D2RL4.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-1KV5E.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyDll.dll innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-VKS6Q.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-ULNV0.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-E0212.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-T2MDP.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-FA5BN.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-41CH4.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-2CJ7O.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-OTOAV.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg.chm innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-PK60M.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-CC9E9.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-GNU8L.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-59G85.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-LKGBE.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-GG3U3.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-EGTRC.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-HMVFB.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-JMI29.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\Delphi\is-6N6DK.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-RSJ2D.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISetup.chm innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-SINTU.tmp innosetup-6.2.2 (1).tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 26 IoCs
Processes:
Compil32.exedescription ioc process Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\DefaultIcon\ = "C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe,1" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes\.iss Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\ = "Inno Setup Script" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\ = "InnoSetupScriptFile" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\Content Type = "text/plain" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\ = "Compi&le" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\.iss Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\DefaultIcon Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\ = "Open with &Inno Setup" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" /cc \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications Compil32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
innosetup-6.2.2 (1).tmppid process 3988 innosetup-6.2.2 (1).tmp 3988 innosetup-6.2.2 (1).tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
innosetup-6.2.2 (1).tmppid process 3988 innosetup-6.2.2 (1).tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
innosetup-6.2.2 (1).exeinnosetup-6.2.2 (1).tmpdescription pid process target process PID 1400 wrote to memory of 3988 1400 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 1400 wrote to memory of 3988 1400 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 1400 wrote to memory of 3988 1400 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 3988 wrote to memory of 1232 3988 innosetup-6.2.2 (1).tmp Compil32.exe PID 3988 wrote to memory of 1232 3988 innosetup-6.2.2 (1).tmp Compil32.exe PID 3988 wrote to memory of 1232 3988 innosetup-6.2.2 (1).tmp Compil32.exe PID 3988 wrote to memory of 4960 3988 innosetup-6.2.2 (1).tmp Compil32.exe PID 3988 wrote to memory of 4960 3988 innosetup-6.2.2 (1).tmp Compil32.exe PID 3988 wrote to memory of 4960 3988 innosetup-6.2.2 (1).tmp Compil32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Users\Admin\AppData\Local\Temp\is-5KPLH.tmp\innosetup-6.2.2 (1).tmp"C:\Users\Admin\AppData\Local\Temp\is-5KPLH.tmp\innosetup-6.2.2 (1).tmp" /SL5="$7020C,3752627,832512,C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe" /ASSOC3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:1232 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59883f2b76a55bba9ad696669845b7aec
SHA16778e521b30cd2652d3e4d0a2cedfa3169782523
SHA256f33e603734fded7452d016e96097dbe144a7294fea2a504c44693ff06ac8f014
SHA5121b06a8586dc4addece0adb7950825ff12eff25184761b0185cb72ce771af2d154f9b8ba619dd035402e186a389cc8867142361307e4960144fe7ec493bfe2a65
-
Filesize
1.6MB
MD5b2798de167b7ae95b44be03ec3a56eab
SHA137f830e5d88a509d25983ddfc50d6ebd7982d7da
SHA2561a8a9332d55229b71749c7b01b8e4c1e34ae958be9d35f6dac76e233cdcf2deb
SHA5121c02d80ff9b10c1162a10e23896b40053ddfdc578a2a8b408f79098514d922bd0181154428462f43f0a41d89d90dbc65acc7a623f2f686ef197b027b715231e5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
283KB
MD58ed7503a4a911a37b3719050962bcd93
SHA11c8b8d2a8f90c98f2567287197d6a05a0231321d
SHA2567d1c2cc3f4b6a1eee8eadffc7991df534566dfd5e0dad6e44f2409ff47030a95
SHA51270d8aa132ab20012ee44c5e211bf3b8bb687c97589cebd3302232395733ff878543877ee1255fa937eb1c7511c54019846ae07921e81b613f12284473e97acd8
-
Filesize
3.1MB
MD51a860ade3cf55b75dca48e96e5a7fb65
SHA1595e3d6255f52792c62e7e3c6e1c17039da1b813
SHA2567d1aa4fa34882122afe88fab6b14b97ef75f26e41dcfefd606f17444016b46aa
SHA512ec7a49e257863b3dee39c1352b8fd65d3e4a6e4941f74a2082d92b41971d3f73d1ecc44d9ea64c7ce715117e1a1e4316b3631290425a967b4e3678d1cbd5b409