e67cb5c9cf008296b2fbc28c990c5620de84520a9f3a6a4de14c49fff1478ee3

General

Target

Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe
Size

698.6MB
MD5

c19227e74f0fedfbd0ba8045196fd6e2
SHA1

b4394748c37ac772f59a203d92bb76a06f84b245
SHA256

e67cb5c9cf008296b2fbc28c990c5620de84520a9f3a6a4de14c49fff1478ee3
SHA512

8e6716ab3021921fc94f755499974fb4549620c57d4eec0be1402da667247e1434817cf02c0ea3258cb0b8814da9f0970a051e2bde6a7f7e4c08832fa3562ba3
SSDEEP

12582912:1u5I/7sxFIiuwW9HgkEf4dGurYT4jcnW7Qsx7mgvCh9NlRM/asa6jHyNTmi2EOm6:A5IDsrhwfYu0sNQuCHy/aD6Tycj

Score

8^/10

evasion upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
456	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe

Executes dropped EXE 2 IoCs

pid	Process
412	helper.exe
3352	Autorun.exe

Loads dropped DLL 2 IoCs

pid	Process
412	helper.exe
412	helper.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023230-189.dat	upx
behavioral2/memory/3352-192-0x0000000000400000-0x00000000008AB000-memory.dmp	upx
behavioral2/memory/3352-195-0x0000000000400000-0x00000000008AB000-memory.dmp	upx

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	C:\\InDesign2021x64\AUTORUN.inf	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe
File opened for modification	C:\\InDesign2021x64\AUTORUN.inf	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Control Panel 1 IoCs

evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International	Autorun.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
412	helper.exe
3352	Autorun.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 412	4584	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe	100
PID 4584 wrote to memory of 412	4584	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe	100
PID 4584 wrote to memory of 412	4584	Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe	100
PID 412 wrote to memory of 456	412	helper.exe	102
PID 412 wrote to memory of 456	412	helper.exe	102
PID 412 wrote to memory of 456	412	helper.exe	102
PID 412 wrote to memory of 4152	412	helper.exe	105
PID 412 wrote to memory of 4152	412	helper.exe	105
PID 412 wrote to memory of 4152	412	helper.exe	105
PID 412 wrote to memory of 3352	412	helper.exe	107
PID 412 wrote to memory of 3352	412	helper.exe	107
PID 412 wrote to memory of 3352	412	helper.exe	107

C:\Users\Admin\AppData\Local\Temp\Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe
"C:\Users\Admin\AppData\Local\Temp\Adobe InDesign 2021 16.3.0.24 RePack by KpoJIuK.exe"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:4584
- C:\InDesign2021x64\install\helper.exe
  "C:\InDesign2021x64\install\helper.exe" /XSTART
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:412
- - C:\Windows\SysWOW64\netsh.exe
    netsh.exe advfirewall firewall delete rule name="all" remoteip=95.141.193.133
    3⤵
    - Modifies Windows Firewall
    PID:456
- - C:\Windows\SysWOW64\route.exe
    route.exe delete 95.141.193.133
    3⤵
    PID:4152
- - C:\InDesign2021x64\Autorun.exe
    C:\InDesign2021x64\Autorun.exe
    3⤵
    - Executes dropped EXE
    - Modifies Control Panel
    - Suspicious use of SetWindowsHookEx
    PID:3352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

1

T1091

Execution

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify System Firewall

1

T1562.004

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Replication Through Removable Media

1

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\InDesign2021x64\AUTORUN.exe

Filesize
988KB

MD5
da747ddfbc719e1eebf4a751f8a61cf8

SHA1
45f21778a4f58224c6cb2edaab55070bb61c47dd

SHA256
2e9cdf31e2dcb93f9126b7ac208ed7557a432962d38d95ab389734f9c932ccc9

SHA512
256b8bfe13a5cefa38980a8b82f875d76ecdb1def3341b4e26dd95cf261b89aca3fa5a9dea9997e8743979a228904607468fb176db5cf80034657c38a70bcaa2

Download Submit
C:\InDesign2021x64\install\Helper.exe

Filesize
14.0MB

MD5
89f4d31fa47d5ba9b4719537efaa8803

SHA1
03bab1e47ddf39e8f05dcd5c9ce84242179da9e5

SHA256
e11ff6d7f9820919f2851d4b912c9555c51a4f32038445d39891d3ce04755c40

SHA512
2398798e0b3f3b408b5fb81eca3c0abbc3c659fa8f451704bbc3c2880c41e25660e15aa25af7251d98f688583a4b0d578aec0c9a692bcada9fe9a28334eba7ed

Download Submit
C:\InDesign2021x64\install\Helper.exe

Filesize
11.0MB

MD5
e845bb2704792068111e7ef35a740d11

SHA1
f333737f65b55b492a862bd841ed9a94d6359a2f

SHA256
d55301c2b0306a3e5c8545fb49d6e69bdf7246d89ab14d359b2f0cef8777e6cd

SHA512
6abb285da32161d9a69f5fa1ba1ca3410a462abd86bb8f74a617f3ed9eebc9b4f4124a465bea0da42bd9240b3a1363180be33026ef6dcf1c5398065609bb51fa

Download Submit
C:\InDesign2021x64\install\config.ini

Filesize
114B

MD5
cf3f4261586a16375d06fbcb20623db5

SHA1
3afd2ed0536eb72831122c1fe334f4b058afa101

SHA256
a65ab6e54ab96873d97dd3963410d210800330fae0d74912e5036ac807030880

SHA512
a8506e8429783903c52f65b443db3fad8ac48b8591bc659b2c03e771bdfa206c2dd16f48767ce09a625ec53b4c241fc9aff27e2a79958c1ce5429f60aa4b2679

Download Submit
C:\InDesign2021x64\install\helper.exe

Filesize
13.1MB

MD5
ead3919051c754abb1a6f484b845dfbd

SHA1
b336533426fabb791157b0ece7a4812d32d46d62

SHA256
4d35daa9714e0c972673b1d301fd2fe1edfa378b2591689a336272a503e9077f

SHA512
ba14193a0ed687fd6f99f1b82ad515dda8f6168a2a0b417a5ea49798d8e26e078269d383a74a0240fecfdfaa48540191bfd241ff7c51f9ff1d258dd996a8fe20

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsn6676.tmp\nsExec.dll

Filesize
7KB

MD5
f27689c513e7d12c7c974d5f8ef710d6

SHA1
e305f2a2898d765a64c82c449dfb528665b4a892

SHA256
1f18f4126124b0551f3dbcd0fec7f34026f930ca509f04435657cedc32ae8c47

SHA512
734e9f3989ee47a86bee16838df7a09353c7fe085a09d77e70d281b21c5477b0b061616e72e8ac8fcb3dda1df0d5152f54dcc4c5a77f90fbf0f857557bf02fbc

Download Submit
memory/3352-192-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/3352-194-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3352-195-0x0000000000400000-0x00000000008AB000-memory.dmp

Filesize
4.7MB

Download
memory/3352-197-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads