GitHub Repo

Analytics Story: Malicious Inno Setup Loader

Updated Date: 2026-05-13 ID: ef8b2f11-fb0b-4acd-828c-83345e171b61 Author: Teoderick Contreras, Splunk Product: Splunk Enterprise Security

Description

Leverage searches that allow you to detect and investigate unusual activities that might relate to malicious Inno Setup-based loaders include monitoring unexpected process trees, script execution, and memory injection patterns originating from installer executables. Inno Setup is a widely used legitimate packaging tool, but its popularity and flexibility make it an attractive vehicle for malware delivery. Malicious actors abuse this framework to create installers that appear benign while hiding and executing embedded payloads. These loaders typically drop encrypted or obfuscated binaries to disk or inject them directly into memory without user consent. These components are typically executed via scripting (e.g., embedded PowerShell, VBScript) or injected directly into memory using process injection techniques like Process Hollowing, Thread Hijacking, or DLL Side-Loading. Some loaders include anti-analysis features such as sandbox evasion, VM detection, or delaying execution to avoid early sandbox detection. Their payloads can range from commodity malware (infostealers, keyloggers, remote access trojans) to custom backdoors.

Why it matters

Detecting malicious Inno Setup-based loaders involves identifying deviations from typical installer behavior. While legitimate Inno Setup binaries follow predictable installation patterns, malicious variants exhibit suspicious child process activity—such as launching cmd.exe, powershell.exe, or performing in-memory execution without dropping a visible payload. Analysts may observe payloads being written to temporary directories like %APPDATA%, %TEMP%, or %ProgramData%, followed by obfuscated execution mechanisms. Static analysis of the installer may reveal high-entropy sections, encrypted blobs, or anomalous script content embedded in the setup script. Behavioral analysis through EDR or sandboxing can further expose delayed execution, anti-VM logic, or environment fingerprinting techniques. Threat intelligence correlations—such as hashes, command-and-control domains, or loader-specific strings—can assist in clustering related loader campaigns. Detecting these loaders early is crucial, as they often serve as the initial access vector in multi-stage infection chains, enabling more severe intrusions or ransomware deployment.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Suspicious Scheduled Task from Public Directory Scheduled Task Anomaly
Windows Chromium Browser with Custom User Data Directory Virtualization/Sandbox Evasion Anomaly
WinEvent Scheduled Task Created Within Public Path Scheduled Task TTP
Hiding Files And Directories With Attrib exe Windows Permissions TTP
WinEvent Windows Task Scheduler Event Action Started Scheduled Task Hunting
Windows Disable Internet Explorer Addons Browser Extensions Anomaly
Windows Unsigned DLL Side-Loading In Same Process Path DLL TTP
Non Firefox Process Access Firefox Profile Dir Credentials from Web Browsers Anomaly
Windows DLL Search Order Hijacking Hunt with Sysmon DLL Hunting
Windows DNS Query Request To TinyUrl Ingress Tool Transfer Anomaly
Windows Suspicious Process File Path Match Legitimate Resource Name or Location, Create or Modify System Process TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Scheduled Task Created Via XML Scheduled Task Anomaly
Windows Abused Web Services Web Service Anomaly
Windows Chromium Browser No Security Sandbox Process Virtualization/Sandbox Evasion TTP
CMD Carry Out String Command Parameter Windows Command Shell Hunting
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Hijack Execution Flow Version Dll Side Load DLL Anomaly
LOLBAS With Network Traffic Ingress Tool Transfer, System Binary Proxy Execution, Exfiltration Over Web Service TTP
Detect Renamed 7-Zip Archive via Utility Hunting
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Hidden Schedule Task Settings Scheduled Task/Job TTP
Non Chrome Process Accessing Chrome Default Dir Credentials from Web Browsers Anomaly
Suspicious Process DNS Query Known Abuse Web Services Visual Basic TTP
Windows Credentials from Password Stores Chrome Extension Access Query Registry Anomaly
Recon Using WMI Class PowerShell, Gather Victim Host Information Anomaly

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4698 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 201 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log TaskScheduler 200 Windows icon Windows wineventlog WinEventLog:Microsoft-Windows-TaskScheduler/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 3 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational

References

Source: GitHub | Version: 2