evilquest | 90b5a701c41fa4e2ea33a9fbde45ca4c9906c523fa75bae168c6f1c0aad59044

Analysis

max time kernel
149s
max time network
151s
platform
macos-10.15_amd64
resource
macos-20240214-en
resource tags

arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
15-02-2024 04:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
Size

12.2MB
MD5

e9742f14ac3a1b793087bd6ca3f87e16
SHA1

dc3e4eafa03f1b757a2b106a843e23663513c5d1
SHA256

90b5a701c41fa4e2ea33a9fbde45ca4c9906c523fa75bae168c6f1c0aad59044
SHA512

0260b923049f94e739ba190bb52f9502f7844be6b40a06a60eb818d61c6dcdfa07eed4c1f099ee6a7c8f39bf7f6d0911d8d4ed283fd4c60828095621ffe0163e
SSDEEP

49152:U33dQ33g833dQ33533dQ33g833dQ33h33dQ33g833dQ33533dQ33g833dQ33533I:8dnY

Score

10^/10

evilquest backdoor execution persistence

Malware Config

Signatures

EvilQuest
EvilQuest family.
backdoor evilquest

EvilQuest payload 4 IoCs

resource	yara_rule
behavioral1/files/0x000000030008af18-4.dat	family_evilquest
behavioral1/files/0x000000030008af1a-5.dat	family_evilquest
behavioral1/files/0x000000030008af18-8.dat	family_evilquest
behavioral1/files/0x000000030008af33-9.dat	family_evilquest

Launch Daemon 1 TTPs
persistence

Launch Daemon
T1543.004

AppleScript 1 TTPs 20 IoCs

execution

AppleScript

T1059.002

ioc	Process
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found

Launchctl 1 TTPs 45 IoCs

execution

Launchctl

T1569.001

ioc	Process
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl start questd	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl start questd	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl start questd	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
launchctl start questd	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl start questd	Process not Found
launchctl start questd	Process not Found
launchctl start questd	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"	Process not Found
launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""	Process not Found
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest\""
1⤵
PID:509

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest\""
1⤵
PID:509

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
1⤵
PID:509
- /bin/zsh
  /bin/zsh -c /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
  2⤵
  PID:511
- /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
  /Users/run/2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest
  2⤵
  PID:511
- /Users/run/.2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest1
  2⤵
  PID:511

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:516

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.secinitd
1⤵
PID:536

/usr/libexec/secinitd
/usr/libexec/secinitd
1⤵
PID:536

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:537

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:537

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:538

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:537

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged
1⤵
PID:538

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authtrampoline
1⤵
PID:539

/System/Library/Frameworks/Security.framework/authtrampoline
/System/Library/Frameworks/Security.framework/authtrampoline
1⤵
PID:539

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:540

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:540
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:541
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:543

/usr/libexec/xpcproxy
xpcproxy questd
1⤵
PID:542

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd --silent
1⤵
PID:542
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd --silent
  2⤵
  PID:549

/bin/sh
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""
1⤵
PID:545

/bin/bash
sh -c "osascript -e \"do shell script \\\"sudo /Library/AppQuest/com.apple.questd\\\" with administrator privileges\""
1⤵
PID:545

/usr/bin/osascript
osascript -e "do shell script \"sudo /Library/AppQuest/com.apple.questd\" with administrator privileges"
1⤵
PID:545

/bin/sh
/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"
1⤵
PID:547

/bin/bash
/bin/sh -c "sudo /Library/AppQuest/com.apple.questd"
1⤵
PID:547

/usr/bin/sudo
sudo /Library/AppQuest/com.apple.questd
1⤵
PID:547
- /Library/AppQuest/com.apple.questd
  /Library/AppQuest/com.apple.questd
  2⤵
  PID:548

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:553

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:553

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterDA6CE80A/OneDrive.app
1⤵
PID:554

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:555

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:555

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:555

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:556

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:556
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:557
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:558

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:559

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:559

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:559

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:560

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:560

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:560

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:561

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:561
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:562
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:563

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:564

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:564
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:565
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:566

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:567

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:567

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:567

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:568

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:568

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:568

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:569

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:569
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:570
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:571

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:572

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:572
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:573
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:574

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:575

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:575

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:575

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:576

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:576
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:577
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:578

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:584

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:584

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:584

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:585

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:585
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:586
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:587

/bin/sh
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/bin/bash
sh -c "osascript -e \"do shell script \\\"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\\\" with administrator privileges\""
1⤵
PID:589

/usr/bin/osascript
osascript -e "do shell script \"launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd\" with administrator privileges"
1⤵
PID:589

/bin/sh
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:590

/bin/bash
/bin/sh -c "launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist;launchctl start questd"
1⤵
PID:590
- /bin/launchctl
  launchctl load -w /Library/LaunchDaemons/com.apple.questd.plist
  2⤵
  PID:591
- /bin/launchctl
  launchctl start questd
  2⤵
  PID:592

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:594

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:595

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:597

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

System Services

T1569

Launchctl

T1569.001

Persistence

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Privilege Escalation

Create or Modify System Process

T1543

Launch Daemon

T1543.004

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Library/AppQuest/com.apple.questd

Filesize
2.3MB

MD5
f18ec39bc8f731fe0952968b49f97925

SHA1
7a383150498a7a73ba5cd81766a761de06792c26

SHA256
1508486882f16aeef667ea82222c5a396289dc5612f40d6d0e0cc6234bf98fd7

SHA512
c50415aa59c4659755ee1723ddec8fa1fdc213dd95a6578dbb2bd747e19f6ef94b8383fe21cd54924c55e59a540d62fd1e0e9d82b8edaab98c2f5c466f118cde

Download Submit
/Library/AppQuest/com.apple.questd

Filesize
4.7MB

MD5
d0067e0f51a33de2da7df58851392337

SHA1
f7f818a4037379fe3bab02d8725f4ce4b12275a8

SHA256
57dd93da7b9954a3ff7a177420c73931e2852facc58a176088722a4c9810b812

SHA512
25d583e32b9ec7130a5ac26d685288865ff02087e4480eb11365ffc7e15d5ec588cbf94f396389897945545179baf6721727fb3a1a0daedde6f5d648dac6ca9d

Download Submit
/Library/LaunchDaemons/com.apple.questd.plist

Filesize
435B

MD5
a3d34532a7dd2cd1d73cea75deb0677f

SHA1
3019d1c50907fb2597121c03619990c5670ff6f4

SHA256
779a31e4de99f9de28de8bf064c504382e050c114e2e865cc1f694c7e6339735

SHA512
52618a5f14247c909a3857b122a124d0ddd00890c128cf041976182423b3d728cab11daf5b6a1adb6845d062b54083e72380184b6f76369482305c2782bedd91

Download Submit
/Users/run/.2024-02-15_e9742f14ac3a1b793087bd6ca3f87e16_adload_evilquest1

Filesize
626KB

MD5
404345264e9c1b5a711a676176b1147c

SHA1
8217d171f1fad3f650ebf4aeb873f5d253288490

SHA256
f018b12315c2b1924db29bb246137f947cf9601b14364e3744c3d979c839b6d6

SHA512
d9444f0afaac217f63c5505db8222b2d066ebaca3000e2223f4ece6f62fe87d917d137313d24c17fee8cd49109f8b3bbd70f4a82041e7f604074dd2b23b877bc

Download Submit
/Users/run/Library/AppQuest/com.apple.questd

Filesize
1.5MB

MD5
942e91d859326689e56c809ae1d42f63

SHA1
e070ea529bab0548e23d32a3a94a6df4bf1f4bcd

SHA256
98c0f0e5779a148df1a2dff1d8ae6b1a601dcdad8283ae713df07705e358c944

SHA512
0f114412e865eb96f91af44274371bbba5ee5d071142111acae95200dcb8df489e067cf9f8e323eb4de62353ed11e2c091d7f5d00f97e15b18f214c23942f465

Download Submit
/Users/run/Library/Containers/com.apple.iCal.CalendarNC/Container.plist

Filesize
28KB

MD5
2cd00e4b56b4e251dc38ebc3ee6430ff

SHA1
17c0b935843ed06f3b8bbf9e0e432a880949b84d

SHA256
9855c461ae3a723aded334c9f8ed5694a83b6df58f8aaf613feb0f710d9d80c3

SHA512
d60249880f6a0392b98b7cffc4e4b2e50ea59fb11fb344fbc7f6be6b45ce9d9712c9aa179f76ef1200b1656c0d5f94e2af2b4f315e5f71e6c5a6f379cbf0cc7d

Download Submit
/Users/run/Library/LaunchAgents/com.apple.questd.plist

Filesize
423B

MD5
eb73619f4e724257ff0fd951883a30ae

SHA1
5032251e50b32e340d8171631a598596bad8991e

SHA256
6e56467f3f5502588094c91e2d58bbb1e43c4e8171093db14931dd41788e17d4

SHA512
ec95c395414181bc77c7a2980fbd3fe69b718aa98c878e514c3f28b738e1669488126cbdfa96e3a182afd8536b54bc1791a044fa3535d1fd3fad54dfda337b7c

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/root/Library/AppQuest/com.apple.questd

Filesize
5.7MB

MD5
5be20c1305afb663f1b393759ef1c2fe

SHA1
cf0a517719ed0605abc720873dab50f2036bbe40

SHA256
94bec9166fc4bfd00b995b63f584a32ec9eaaf4e58031f76ddd80d8db711423c

SHA512
a653ddf8f85562e03a0369dde04949a76220c3445260945ca29557779e97eed76a58ce4c2c5b895cb4e5f2520900605d41bb9fe911a5a16713afda52cce52871

Download Submit
/var/root/Library/LaunchAgents/com.apple.questd.plist

Filesize
422B

MD5
70c1e05ff6b32db6e1ef873321abd1f9

SHA1
16878e40cd5a569bc8f441988cc07b66ffc8534a

SHA256
ba60feb2a639cd847674e6599cabf986ede7876231a292785b0365d58b7b9378

SHA512
1e82629b3b1fa7bb88e7efe0393aee7114631555fbfe614d33b9b1efb4d299c35dac5e393f834dcc26a5e192e46e317124c0b841f65ab371819c34802424712e

Download Submit