Analysis
-
max time kernel
27s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 07:38
Static task
static1
Behavioral task
behavioral1
Sample
innosetup-6.2.2.exe
Resource
win11-20240508-en
General
-
Target
innosetup-6.2.2.exe
-
Size
4.5MB
-
MD5
2893b10c36fddb20a38e9b8b9a44d647
-
SHA1
9ab6a2f797d5efc3c5c3985d48fc63c6a111f643
-
SHA256
8117d10d00a2ad33a1390978ea3872861c330e087914410a6377b22c4c5b8563
-
SHA512
496375b1ce9c0d2f8eb3930ebd8366f5c4c938bc1eda47aed415e3f02bd8651a84a770a15f2825bf3c8ed9dbefa355b9eb805dd76bc782f6d8c8096d80443099
-
SSDEEP
98304:6kLsYMYXKk7jmHED1W+Q6zBcLOYCwOo5mympFVWkj6Z:VsoJ7SHElRcLFEo5yhWkj6Z
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
Processes:
innosetup-6.2.2.tmpCompil32.exeCompil32.exepid process 2360 innosetup-6.2.2.tmp 944 Compil32.exe 2064 Compil32.exe -
Loads dropped DLL 6 IoCs
Processes:
Compil32.exeCompil32.exepid process 944 Compil32.exe 944 Compil32.exe 944 Compil32.exe 2064 Compil32.exe 2064 Compil32.exe 2064 Compil32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
Processes:
innosetup-6.2.2.tmpdescription ioc process File created C:\Program Files (x86)\Inno Setup 6\Languages\is-R3R7U.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-8EVHP.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-U882G.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg.chm innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-UAS6N.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-FVTQ7.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-J6SVQ.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-K8EH2.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-FQSAR.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-J8FOB.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-CD9Q5.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-CDQRM.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-734VG.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-JR0F1.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-NKFKL.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-01TD3.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isbunzip.dll innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISCC.exe innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISCmplr.dll innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\unins000.dat innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-SEI4B.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-VH11R.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-Q4DT9.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\Properties\is-PAL91.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\Examples\MyProg-x64.exe innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-9O2VU.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-5KLKE.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-MG60I.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-8JOJ5.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-87T57.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-21S46.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-JADT2.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-D79H6.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-R2HGJ.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-OEPQC.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\islzma64.exe innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-9E0F5.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-T7I6P.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-KIC3G.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-TF0FJ.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-MEK0V.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\ISPP.dll innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-R47V5.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-RHF58.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-K92NR.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-4BNLJ.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-DB017.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-LURS4.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isscint.dll innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\islzma.dll innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-F2JBJ.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-BGSGP.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-C46FE.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-3C59S.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-3O86Q.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-9CECH.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Languages\is-MP87I.tmp innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\iszlib.dll innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-FIK2D.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-V3OFK.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\Examples\is-2O2MU.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\is-6DPCD.tmp innosetup-6.2.2.tmp File created C:\Program Files (x86)\Inno Setup 6\unins000.msg innosetup-6.2.2.tmp File opened for modification C:\Program Files (x86)\Inno Setup 6\isunzlib.dll innosetup-6.2.2.tmp -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 26 IoCs
Processes:
Compil32.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\ = "InnoSetupScriptFile" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\ = "Open with &Inno Setup" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\ = "Inno Setup Script" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\ = "Compi&le" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes\.iss Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" /cc \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.iss\Content Type = "text/plain" Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\DefaultIcon\ = "C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe,1" Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\Applications\Compil32.exe\SupportedTypes Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\DefaultIcon Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell Compil32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\.iss Compil32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\"" Compil32.exe Key created \REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile\command Compil32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
innosetup-6.2.2.tmppid process 2360 innosetup-6.2.2.tmp 2360 innosetup-6.2.2.tmp -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
innosetup-6.2.2.tmppid process 2360 innosetup-6.2.2.tmp -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
innosetup-6.2.2.exeinnosetup-6.2.2.tmpdescription pid process target process PID 760 wrote to memory of 2360 760 innosetup-6.2.2.exe innosetup-6.2.2.tmp PID 760 wrote to memory of 2360 760 innosetup-6.2.2.exe innosetup-6.2.2.tmp PID 760 wrote to memory of 2360 760 innosetup-6.2.2.exe innosetup-6.2.2.tmp PID 2360 wrote to memory of 944 2360 innosetup-6.2.2.tmp Compil32.exe PID 2360 wrote to memory of 944 2360 innosetup-6.2.2.tmp Compil32.exe PID 2360 wrote to memory of 944 2360 innosetup-6.2.2.tmp Compil32.exe PID 2360 wrote to memory of 2064 2360 innosetup-6.2.2.tmp Compil32.exe PID 2360 wrote to memory of 2064 2360 innosetup-6.2.2.tmp Compil32.exe PID 2360 wrote to memory of 2064 2360 innosetup-6.2.2.tmp Compil32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Users\Admin\AppData\Local\Temp\is-U6RB4.tmp\innosetup-6.2.2.tmp"C:\Users\Admin\AppData\Local\Temp\is-U6RB4.tmp\innosetup-6.2.2.tmp" /SL5="$4020E,3752627,832512,C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe" /ASSOC3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:944 -
C:\Program Files (x86)\Inno Setup 6\Compil32.exe"C:\Program Files (x86)\Inno Setup 6\Compil32.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2064
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.7MB
MD59883f2b76a55bba9ad696669845b7aec
SHA16778e521b30cd2652d3e4d0a2cedfa3169782523
SHA256f33e603734fded7452d016e96097dbe144a7294fea2a504c44693ff06ac8f014
SHA5121b06a8586dc4addece0adb7950825ff12eff25184761b0185cb72ce771af2d154f9b8ba619dd035402e186a389cc8867142361307e4960144fe7ec493bfe2a65
-
Filesize
1.6MB
MD5b2798de167b7ae95b44be03ec3a56eab
SHA137f830e5d88a509d25983ddfc50d6ebd7982d7da
SHA2561a8a9332d55229b71749c7b01b8e4c1e34ae958be9d35f6dac76e233cdcf2deb
SHA5121c02d80ff9b10c1162a10e23896b40053ddfdc578a2a8b408f79098514d922bd0181154428462f43f0a41d89d90dbc65acc7a623f2f686ef197b027b715231e5
-
Filesize
283KB
MD58ed7503a4a911a37b3719050962bcd93
SHA11c8b8d2a8f90c98f2567287197d6a05a0231321d
SHA2567d1c2cc3f4b6a1eee8eadffc7991df534566dfd5e0dad6e44f2409ff47030a95
SHA51270d8aa132ab20012ee44c5e211bf3b8bb687c97589cebd3302232395733ff878543877ee1255fa937eb1c7511c54019846ae07921e81b613f12284473e97acd8
-
Filesize
3.1MB
MD51a860ade3cf55b75dca48e96e5a7fb65
SHA1595e3d6255f52792c62e7e3c6e1c17039da1b813
SHA2567d1aa4fa34882122afe88fab6b14b97ef75f26e41dcfefd606f17444016b46aa
SHA512ec7a49e257863b3dee39c1352b8fd65d3e4a6e4941f74a2082d92b41971d3f73d1ecc44d9ea64c7ce715117e1a1e4316b3631290425a967b4e3678d1cbd5b409