###### The initial vector is an INP file (format used for the software InPage) with the exploit CVE-2017-12824, we can see here the 0x7E and 0x72 represent a class of type in the stream for use, an ole stream for launch the first binary file.
###### On the entrypoint of the second PE, we can see the first action is to check the environment in using the anti-forensic technique by the CheckRemoteDebuggerPresent function.
###### Before go on the others function. We can see that the PE get the name of the user and create their persistence by an RunOnce key in the registry. (\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce Putty explorer.exe CurrentUser C:\file.exe)
###### After this, this uses the CreateToolhelp32snapshot function for getting a snapshot of all the process an parsed it until this fall on the explorer process.
###### Firstly, we can observe that the payload seems be with the Professional version of Inpage (2.21). Inpage is currently used in Pakistan which is consistent with the fact that Patchwork is an Indian APT.
###### Secondly, we can note the same pdb path what the 360TI analysis.
###### This can be exported as JSON format [Export in JSON](https://raw.githubusercontent.com/StrangerealIntel/CyberThreatIntel/master/Indian/APT/Patchwork/27-08-19/IOC_Patchwork_09-09-19.json)
###### Original tweet: [https://twitter.com/_jsoo_/status/1166353584923041798](https://twitter.com/_jsoo_/status/1166353584923041798) <a name="Original-Tweet"></a>
###### Links Anyrun: <a name="Links-Anyrun"></a>
* [Azerbaijan delegation to pakistan.inp](https://app.any.run/tasks/9a133077-a806-4e11-9e4a-711b8764b153/)
###### Documents: <a name="Documents"></a>
* [Recent InPage Exploits Lead to Multiple Malware Families](https://unit42.paloaltonetworks.com/unit42-recent-inpage-exploits-lead-multiple-malware-families/)
* [InPage zero-day exploit used to attack financial institutions in Asia](https://securelist.com/inpage-zero-day-exploit-used-to-attack-financial-institutions-in-asia/76717/)
* [Analysis Of Targeted Attack Against Pakistan By Exploiting InPage Vulnerability And Related APT Groups](https://ti.360.net/blog/articles/analysis-of-targeted-attack-against-pakistan-by-exploiting-inpage-vulnerability-and-related-apt-groups-english/)