8117d10d00a2ad33a1390978ea3872861c330e087914410a6377b22c4c5b8563

General

Target

innosetup-6.2.2.exe
Size

4.5MB
MD5

2893b10c36fddb20a38e9b8b9a44d647
SHA1

9ab6a2f797d5efc3c5c3985d48fc63c6a111f643
SHA256

8117d10d00a2ad33a1390978ea3872861c330e087914410a6377b22c4c5b8563
SHA512

496375b1ce9c0d2f8eb3930ebd8366f5c4c938bc1eda47aed415e3f02bd8651a84a770a15f2825bf3c8ed9dbefa355b9eb805dd76bc782f6d8c8096d80443099
SSDEEP

98304:6kLsYMYXKk7jmHED1W+Q6zBcLOYCwOo5mympFVWkj6Z:VsoJ7SHElRcLFEo5yhWkj6Z

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

innosetup-6.2.2.tmpCompil32.exeCompil32.exe

pid process

1736 innosetup-6.2.2.tmp
2304 Compil32.exe
1772 Compil32.exe

pid	process
1736	innosetup-6.2.2.tmp
2304	Compil32.exe
1772	Compil32.exe

Loads dropped DLL 8 IoCs

Processes:

innosetup-6.2.2.exeinnosetup-6.2.2.tmpCompil32.exeCompil32.exe

pid	process
3016	innosetup-6.2.2.exe
1736	innosetup-6.2.2.tmp
1736	innosetup-6.2.2.tmp
2304	Compil32.exe
2304	Compil32.exe
1736	innosetup-6.2.2.tmp
1772	Compil32.exe
1772	Compil32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

Processes:

innosetup-6.2.2.tmp

description	ioc	process
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-50BB8.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-DD9CI.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-9M0O1.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\unins000.dat	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-TB170.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-AMHSJ.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-PHC2M.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-2G541.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll.dll	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-2RRH8.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-C7A4Q.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-3SU5A.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-72133.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-KEL8M.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-AFG67.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-6920O.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-6483S.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-9MH93.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-2SM73.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-915MK.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-1F4N4.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-RV8TA.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\unins000.dat	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-RRV59.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\Examples\MyProg-x64.exe	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-R6OGF.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-IKTS6.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-K5GRF.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\islzma32.exe	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C\is-IKA0O.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-Q4GE0.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-HUA27.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-P0EU3.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-6F12Q.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\Examples\MyProg.chm	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-J41TA.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-L1E3S.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\Properties\is-VK15J.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-1J4PC.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-VR3DO.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-M10J2.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-93GHF.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\isfaq.url	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\isbunzip.dll	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\islzma64.exe	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-8AKM3.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-RJQ4F.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-2KSG0.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\unins000.msg	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-Q8FS5.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-F8LHG.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-DFMVK.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-106I2.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\iszlib.dll	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-TD9QU.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-NFF0R.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-1FV0U.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\MyDll\C#\is-FAUUT.tmp	innosetup-6.2.2.tmp
File opened for modification	C:\Program Files (x86)\Inno Setup 6\isunzlib.dll	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-41RL7.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-Q3K0R.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\is-5HGPN.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Languages\is-IACBL.tmp	innosetup-6.2.2.tmp
File created	C:\Program Files (x86)\Inno Setup 6\Examples\is-R6ND5.tmp	innosetup-6.2.2.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 26 IoCs

Processes:

Compil32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\.iss	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\ = "Inno Setup Script"	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\ = "Compi&le"	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes\.iss	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iss\ = "InnoSetupScriptFile"	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.iss\Content Type = "text/plain"	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Applications\Compil32.exe\SupportedTypes	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\Compil32.exe\SupportedTypes	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\DefaultIcon	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\open\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\""	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" \"%1\""	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\Compile\command	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\DefaultIcon\ = "C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe,1"	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\open\command	Compil32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\ = "Open with &Inno Setup"	Compil32.exe
Key created	\REGISTRY\MACHINE\Software\Classes\InnoSetupScriptFile\shell\OpenWithInnoSetup\command	Compil32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\InnoSetupScriptFile\shell\Compile\command\ = "\"C:\\Program Files (x86)\\Inno Setup 6\\Compil32.exe\" /cc \"%1\""	Compil32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

innosetup-6.2.2.tmp

pid process

1736 innosetup-6.2.2.tmp
1736 innosetup-6.2.2.tmp
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

innosetup-6.2.2.tmp

pid process

1736 innosetup-6.2.2.tmp

pid	process
1736	innosetup-6.2.2.tmp
1736	innosetup-6.2.2.tmp

pid	process
1736	innosetup-6.2.2.tmp

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

innosetup-6.2.2.exeinnosetup-6.2.2.tmp

description	pid	process	target process
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 3016 wrote to memory of 1736	3016	innosetup-6.2.2.exe	innosetup-6.2.2.tmp
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 2304	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe
PID 1736 wrote to memory of 1772	1736	innosetup-6.2.2.tmp	Compil32.exe

C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe
"C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\is-3I1I1.tmp\innosetup-6.2.2.tmp
"C:\Users\Admin\AppData\Local\Temp\is-3I1I1.tmp\innosetup-6.2.2.tmp" /SL5="$3014E,3752627,832512,C:\Users\Admin\AppData\Local\Temp\innosetup-6.2.2.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1736

C:\Program Files (x86)\Inno Setup 6\Compil32.exe
"C:\Program Files (x86)\Inno Setup 6\Compil32.exe" /ASSOC
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
PID:2304

C:\Program Files (x86)\Inno Setup 6\Compil32.exe
"C:\Program Files (x86)\Inno Setup 6\Compil32.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-3I1I1.tmp\innosetup-6.2.2.tmp

Filesize
3.1MB

MD5
1a860ade3cf55b75dca48e96e5a7fb65

SHA1
595e3d6255f52792c62e7e3c6e1c17039da1b813

SHA256
7d1aa4fa34882122afe88fab6b14b97ef75f26e41dcfefd606f17444016b46aa

SHA512
ec7a49e257863b3dee39c1352b8fd65d3e4a6e4941f74a2082d92b41971d3f73d1ecc44d9ea64c7ce715117e1a1e4316b3631290425a967b4e3678d1cbd5b409

Download Submit
\Program Files (x86)\Inno Setup 6\Compil32.exe

Filesize
2.7MB

MD5
9883f2b76a55bba9ad696669845b7aec

SHA1
6778e521b30cd2652d3e4d0a2cedfa3169782523

SHA256
f33e603734fded7452d016e96097dbe144a7294fea2a504c44693ff06ac8f014

SHA512
1b06a8586dc4addece0adb7950825ff12eff25184761b0185cb72ce771af2d154f9b8ba619dd035402e186a389cc8867142361307e4960144fe7ec493bfe2a65

Download Submit
\Program Files (x86)\Inno Setup 6\ISCmplr.dll

Filesize
1.6MB

MD5
b2798de167b7ae95b44be03ec3a56eab

SHA1
37f830e5d88a509d25983ddfc50d6ebd7982d7da

SHA256
1a8a9332d55229b71749c7b01b8e4c1e34ae958be9d35f6dac76e233cdcf2deb

SHA512
1c02d80ff9b10c1162a10e23896b40053ddfdc578a2a8b408f79098514d922bd0181154428462f43f0a41d89d90dbc65acc7a623f2f686ef197b027b715231e5

Download Submit
\Program Files (x86)\Inno Setup 6\isscint.dll

Filesize
283KB

MD5
8ed7503a4a911a37b3719050962bcd93

SHA1
1c8b8d2a8f90c98f2567287197d6a05a0231321d

SHA256
7d1c2cc3f4b6a1eee8eadffc7991df534566dfd5e0dad6e44f2409ff47030a95

SHA512
70d8aa132ab20012ee44c5e211bf3b8bb687c97589cebd3302232395733ff878543877ee1255fa937eb1c7511c54019846ae07921e81b613f12284473e97acd8

Download Submit
memory/1736-233-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1736-8-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1736-210-0x0000000000400000-0x000000000071C000-memory.dmp

Filesize
3.1MB

Download
memory/1772-236-0x0000000000800000-0x00000000009A6000-memory.dmp

Filesize
1.6MB

Download
memory/1772-235-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2304-222-0x0000000000920000-0x0000000000AC6000-memory.dmp

Filesize
1.6MB

Download
memory/2304-221-0x0000000000400000-0x00000000006C7000-memory.dmp

Filesize
2.8MB

Download
memory/2304-220-0x0000000000920000-0x0000000000AC6000-memory.dmp

Filesize
1.6MB

Download
memory/3016-209-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3016-0-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download
memory/3016-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/3016-234-0x0000000000400000-0x00000000004D8000-memory.dmp

Filesize
864KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads