Analysis
-
max time kernel
32s -
max time network
32s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
09-05-2024 16:34
Static task
static1
Behavioral task
behavioral1
Sample
innosetup-6.2.2 (1).exe
Resource
win11-20240508-en
General
-
Target
innosetup-6.2.2 (1).exe
-
Size
4.5MB
-
MD5
2893b10c36fddb20a38e9b8b9a44d647
-
SHA1
9ab6a2f797d5efc3c5c3985d48fc63c6a111f643
-
SHA256
8117d10d00a2ad33a1390978ea3872861c330e087914410a6377b22c4c5b8563
-
SHA512
496375b1ce9c0d2f8eb3930ebd8366f5c4c938bc1eda47aed415e3f02bd8651a84a770a15f2825bf3c8ed9dbefa355b9eb805dd76bc782f6d8c8096d80443099
-
SSDEEP
98304:6kLsYMYXKk7jmHED1W+Q6zBcLOYCwOo5mympFVWkj6Z:VsoJ7SHElRcLFEo5yhWkj6Z
Malware Config
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
innosetup-6.2.2 (1).tmpCompil32.exeCompil32.exepid process 4432 innosetup-6.2.2 (1).tmp 2344 Compil32.exe 1920 Compil32.exe -
Loads dropped DLL 6 IoCs
Processes:
Compil32.exeCompil32.exepid process 2344 Compil32.exe 2344 Compil32.exe 2344 Compil32.exe 1920 Compil32.exe 1920 Compil32.exe 1920 Compil32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
innosetup-6.2.2 (1).tmpdescription ioc process File created C:\Program Files (x86)\Inno Setup 6\is-TFMB2.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-U6C87.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-6EIOB.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-MCG6J.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISCC.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-527OH.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-A6TV6.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-OQCCC.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-QNHNC.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-CULJK.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-VLMGM.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-08HVB.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isfaq.url innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg-ARM64.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-12BKN.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-5RRPA.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-3EGEN.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-UH1JU.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-CL5L9.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isbunzip.dll innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-905NA.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-V5L7B.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-49AMD.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-CHTQ9.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-45681.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-4RDMN.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\Delphi\is-TM2DR.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isscint.dll innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-5K1C9.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-HERO4.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-DV00R.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-PIHML.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-89KP3.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-V84BR.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-MC8Q5.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-ECHSM.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-UN8JB.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-TN28N.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-1OPPM.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-B6NM3.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-4OJQA.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-UC67E.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-R6FR7.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-ULOC9.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-BO0B0.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-SPC3M.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-AIONE.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-IGA77.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-688D5.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISPP.chm innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isbzip.dll innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-T9ASP.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-LE713.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-08GJ6.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-V4B73.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-9JAUL.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-3J545.tmp innosetup-6.2.2 (1).tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\islzma32.exe innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\is-NTC78.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-Q04R6.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-R0N09.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\Properties\is-SM85P.tmp innosetup-6.2.2 (1).tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-G6A37.tmp innosetup-6.2.2 (1).tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 27 IoCs
Processes:
Compil32.exeMiniSearchHost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\ = "InnoSetupScriptFile" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" /cc \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes\.iss Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\ = "Open with &Inno Setup" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\DefaultIcon Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\ = "Inno Setup Script" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\DefaultIcon\ = "C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe,1" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\Content Type = "text/plain" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\ = "Compi&le" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Key created \REGISTRY\USER\S-1-5-21-2457560273-69882387-977367775-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\.iss Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile Compil32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
innosetup-6.2.2 (1).tmppid process 4432 innosetup-6.2.2 (1).tmp 4432 innosetup-6.2.2 (1).tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
innosetup-6.2.2 (1).tmppid process 4432 innosetup-6.2.2 (1).tmp -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
MiniSearchHost.exepid process 2408 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
innosetup-6.2.2 (1).exeinnosetup-6.2.2 (1).tmpdescription pid process target process PID 1892 wrote to memory of 4432 1892 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 1892 wrote to memory of 4432 1892 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 1892 wrote to memory of 4432 1892 innosetup-6.2.2 (1).exe innosetup-6.2.2 (1).tmp PID 4432 wrote to memory of 2344 4432 innosetup-6.2.2 (1).tmp Compil32.exe PID 4432 wrote to memory of 2344 4432 innosetup-6.2.2 (1).tmp Compil32.exe PID 4432 wrote to memory of 2344 4432 innosetup-6.2.2 (1).tmp Compil32.exe PID 4432 wrote to memory of 1920 4432 innosetup-6.2.2 (1).tmp Compil32.exe PID 4432 wrote to memory of 1920 4432 innosetup-6.2.2 (1).tmp Compil32.exe PID 4432 wrote to memory of 1920 4432 innosetup-6.2.2 (1).tmp Compil32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\is-HVC2D.tmp\innosetup-6.2.2 (1).tmp"C:\Users\Admin\AppData\Local\Temp\is-HVC2D.tmp\innosetup-6.2.2 (1).tmp" /SL5="$40220,3752627,832512,C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2 (1).exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4432 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe" /ASSOC3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2344 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59883f2b76a55bba9ad696669845b7aec
SHA16778e521b30cd2652d3e4d0a2cedfa3169782523
SHA256f33e603734fded7452d016e96097dbe144a7294fea2a504c44693ff06ac8f014
SHA5121b06a8586dc4addece0adb7950825ff12eff25184761b0185cb72ce771af2d154f9b8ba619dd035402e186a389cc8867142361307e4960144fe7ec493bfe2a65
-
Filesize
1.6MB
MD5b2798de167b7ae95b44be03ec3a56eab
SHA137f830e5d88a509d25983ddfc50d6ebd7982d7da
SHA2561a8a9332d55229b71749c7b01b8e4c1e34ae958be9d35f6dac76e233cdcf2deb
SHA5121c02d80ff9b10c1162a10e23896b40053ddfdc578a2a8b408f79098514d922bd0181154428462f43f0a41d89d90dbc65acc7a623f2f686ef197b027b715231e5
-
Filesize
2KB
MD5a69559718ab506675e907fe49deb71e9
SHA1bc8f404ffdb1960b50c12ff9413c893b56f2e36f
SHA2562f6294f9aa09f59a574b5dcd33be54e16b39377984f3d5658cda44950fa0f8fc
SHA512e52e0aa7fe3f79e36330c455d944653d449ba05b2f9abee0914a0910c3452cfa679a40441f9ac696b3ccf9445cbb85095747e86153402fc362bb30ac08249a63
-
Filesize
283KB
MD58ed7503a4a911a37b3719050962bcd93
SHA11c8b8d2a8f90c98f2567287197d6a05a0231321d
SHA2567d1c2cc3f4b6a1eee8eadffc7991df534566dfd5e0dad6e44f2409ff47030a95
SHA51270d8aa132ab20012ee44c5e211bf3b8bb687c97589cebd3302232395733ff878543877ee1255fa937eb1c7511c54019846ae07921e81b613f12284473e97acd8
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5a71ab244d565671f741686cb2c5ed11b
SHA1b6e766a85f1f878d512f752df2dd4873971755e2
SHA25606a5716962f3b50a8aa3acd30e33d6c75664465c3d795196ad6dce5e33a80faa
SHA5120826c8e52b0f5dbcbda745f06390fd59ce9eee8e0e845cdb007f4a97b19065f2544ca63226b34d361adf9e1cf26644672abfe5dcfd75651cd2aeb1ae27f16f84
-
Filesize
3.1MB
MD51a860ade3cf55b75dca48e96e5a7fb65
SHA1595e3d6255f52792c62e7e3c6e1c17039da1b813
SHA2567d1aa4fa34882122afe88fab6b14b97ef75f26e41dcfefd606f17444016b46aa
SHA512ec7a49e257863b3dee39c1352b8fd65d3e4a6e4941f74a2082d92b41971d3f73d1ecc44d9ea64c7ce715117e1a1e4316b3631290425a967b4e3678d1cbd5b409