Analytics Story: Malicious Inno Setup Loader

Date: 2025-05-25 ID: ef8b2f11-fb0b-4acd-828c-83345e171b61 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious Inno Setup-based loaders include monitoring unexpected process trees, script execution, and memory injection patterns originating from installer executables. Inno Setup is a widely used legitimate packaging tool, but its popularity and flexibility make it an attractive vehicle for malware delivery. Malicious actors abuse this framework to create installers that appear benign while hiding and executing embedded payloads. These loaders typically drop encrypted or obfuscated binaries to disk or inject them directly into memory without user consent. These components are typically executed via scripting (e.g., embedded PowerShell, VBScript) or injected directly into memory using process injection techniques like Process Hollowing, Thread Hijacking, or DLL Side-Loading. Some loaders include anti-analysis features such as sandbox evasion, VM detection, or delaying execution to avoid early sandbox detection. Their payloads can range from commodity malware (infostealers, keyloggers, remote access trojans) to custom backdoors.

Why it matters

Detecting malicious Inno Setup-based loaders involves identifying deviations from typical installer behavior. While legitimate Inno Setup binaries follow predictable installation patterns, malicious variants exhibit suspicious child process activity—such as launching cmd.exe, powershell.exe, or performing in-memory execution without dropping a visible payload. Analysts may observe payloads being written to temporary directories like %APPDATA%, %TEMP%, or %ProgramData%, followed by obfuscated execution mechanisms. Static analysis of the installer may reveal high-entropy sections, encrypted blobs, or anomalous script content embedded in the setup script. Behavioral analysis through EDR or sandboxing can further expose delayed execution, anti-VM logic, or environment fingerprinting techniques. Threat intelligence correlations—such as hashes, command-and-control domains, or loader-specific strings—can assist in clustering related loader campaigns. Detecting these loaders early is crucial, as they often serve as the initial access vector in multi-stage infection chains, enabling more severe intrusions or ransomware deployment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Detect Renamed 7-Zip Archive via Utility Hunting
Hiding Files And Directories With Attrib exe Windows File and Directory Permissions Modification TTP
LOLBAS With Network Traffic Ingress Tool Transfer, Exfiltration Over Web Service, System Binary Proxy Execution TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Recon Using WMI Class Gather Victim Host Information, PowerShell Anomaly
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Chromium Browser No Security Sandbox Process Virtualization/Sandbox Evasion TTP
Windows Chromium Browser with Custom User Data Directory Virtualization/Sandbox Evasion Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Disable Internet Explorer Addons Browser Extensions Anomaly
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Hunting
Windows DNS Query Request To TinyUrl Ingress Tool Transfer Anomaly
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Windows Hijack Execution Flow Version Dll Side Load DLL Anomaly
Windows Scheduled Task Created Via XML Scheduled Task TTP
Windows Suspicious Process File Path Create or Modify System Process, Match Legitimate Resource Name or Location TTP
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Windows Abused Web Services Web Service TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
Powershell Script Block Logging 4104 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon EventID 1 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows xmlwineventlog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows xmlwineventlog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Windows Event Log TaskScheduler 201 Windows icon Windows xmlwineventlog XmlWinEventLog:Security

References

Source: GitHub | Version: 1