Analysis
-
max time kernel
179s -
max time network
219s -
platform
macos-10.15_amd64 -
resource
macos-20240214-en -
resource tags
arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
23/02/2024, 00:22
Static task
static1
General
-
Target
66f94654a1494195ce06240feb988738_27_Installer
-
Size
374KB
-
MD5
66f94654a1494195ce06240feb988738
-
SHA1
247182be589a95b79697367e971448c44b6e1ddb
-
SHA256
5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a
-
SHA512
8c0516516988d76677962089d3237ec4b674b7b06ba104de80919d23fafd5818abe2a8b8b59da4af41aacd141029f4d30a02a8ef1c00e58f6fc299c6cef1707e
-
SSDEEP
6144:u6i0jQmEEB1kYewqQOrlaGdjAFzoSOIwhKdja0QhJ:uJFmz1kvDjAr4
Malware Config
Signatures
-
Queries the macOS version information. 1 TTPs 4 IoCs
ioc Process sh -c sw_vers Process not Found sw_vers Process not Found sh -c sw_vers Process not Found sw_vers Process not Found -
System Checks 1 TTPs 4 IoCs
ioc Process sh -c "system_profiler SPHardwareDataType" Process not Found system_profiler SPHardwareDataType Process not Found sh -c "system_profiler SPHardwareDataType" Process not Found system_profiler SPHardwareDataType Process not Found -
AppleScript 1 TTPs 8 IoCs
ioc Process sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" Process not Found osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" Process not Found sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" Process not Found osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" Process not Found sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" Process not Found osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" Process not Found
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/66f94654a1494195ce06240feb988738_27_Installer\""1⤵PID:536
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/66f94654a1494195ce06240feb988738_27_Installer\""1⤵PID:536
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer1⤵PID:536
-
/bin/zsh/bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer2⤵PID:537
-
-
/Users/run/66f94654a1494195ce06240feb988738_27_Installer/Users/run/66f94654a1494195ce06240feb988738_27_Installer2⤵PID:537
-
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵PID:560
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵PID:560
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:567
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:567
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:568
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:568
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:569
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:569
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:570
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:570
-
/usr/bin/bzip2/usr/bin/bzip2 -f /var/log/wifi.log.01⤵PID:572
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app1⤵PID:574
-
/usr/libexec/xpcproxyxpcproxy com.apple.assistantd1⤵PID:576
-
/usr/libexec/xpcproxyxpcproxy com.apple.bird1⤵PID:577
-
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird1⤵PID:577
-
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd1⤵PID:576
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵PID:578
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵PID:578
-
/bin/lsls1⤵PID:579
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:583
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:583
-
./66f94654a1494195ce06240feb988738_27_Installer./66f94654a1494195ce06240feb988738_27_Installer1⤵PID:585
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:586
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:586
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:586
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:588
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:588
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:588
-
/bin/shsh -c sw_vers1⤵PID:590
-
/bin/bashsh -c sw_vers1⤵PID:590
-
/usr/bin/sw_verssw_vers1⤵PID:590
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:591
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:591
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:591
-
/usr/libexec/xpcproxyxpcproxy com.apple.AccountPolicyHelper1⤵PID:592
-
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper1⤵PID:592
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:593
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:593
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:593
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵PID:597
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵PID:597
-
/bin/shsh -c "dscl /Local/Default -authonly run root"1⤵PID:599
-
/bin/bashsh -c "dscl /Local/Default -authonly run root"1⤵PID:599
-
/usr/bin/dscldscl /Local/Default -authonly run root1⤵PID:599
-
/bin/shsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr"1⤵PID:600
-
/bin/bashsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr"1⤵PID:600
-
/usr/bin/dittoditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr1⤵PID:600
-
/bin/shsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:601
-
/bin/bashsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:601
-
/usr/bin/osascriptosascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"1⤵PID:601
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:602
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:602
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon1⤵PID:608
-
/bin/launchctl/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon1⤵PID:609
-
/usr/libexec/xpcproxyxpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E1⤵PID:610
-
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService1⤵PID:610
-
/bin/lsls1⤵PID:616
-
./66f94654a1494195ce06240feb988738_27_Installer./66f94654a1494195ce06240feb988738_27_Installer1⤵PID:618
-
/bin/shsh -c "system_profiler SPHardwareDataType"1⤵PID:619
-
/bin/bashsh -c "system_profiler SPHardwareDataType"1⤵PID:619
-
/usr/sbin/system_profilersystem_profiler SPHardwareDataType1⤵PID:619
-
/bin/shsh -c "system_profiler SPDisplaysDataType"1⤵PID:621
-
/bin/bashsh -c "system_profiler SPDisplaysDataType"1⤵PID:621
-
/usr/sbin/system_profilersystem_profiler SPDisplaysDataType1⤵PID:621
-
/bin/shsh -c sw_vers1⤵PID:623
-
/bin/bashsh -c sw_vers1⤵PID:623
-
/usr/bin/sw_verssw_vers1⤵PID:623
-
/bin/shsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:624
-
/bin/bashsh -c "dscl /Local/Default -authonly run \"\""1⤵PID:624
-
/usr/bin/dscldscl /Local/Default -authonly run1⤵PID:624
-
/bin/shsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:625
-
/bin/bashsh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"1⤵PID:625
-
/usr/bin/osascriptosascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"1⤵PID:625
-
/bin/shsh -c "dscl /Local/Default -authonly run root"1⤵PID:627
-
/bin/bashsh -c "dscl /Local/Default -authonly run root"1⤵PID:627
-
/usr/bin/dscldscl /Local/Default -authonly run root1⤵PID:627
-
/bin/shsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr"1⤵PID:628
-
/bin/bashsh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr"1⤵PID:628
-
/usr/bin/dittoditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr1⤵PID:628
-
/bin/shsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:629
-
/bin/bashsh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"1⤵PID:629
-
/usr/bin/osascriptosascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"1⤵PID:629
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
42B
MD5ce7f5b3d4bfc7b4b0da6a06dccc515f2
SHA1ce657a52a052a3aaf534ecfbf7cbdde4ee334c10
SHA2569261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1
SHA512db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb
-
Filesize
81B
MD5520bb9b65b89f03050030e5a985b9cd1
SHA191defba6d4540d4c8ede177730d104d747e8f57b
SHA2566bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0
SHA51281eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6
-
Filesize
126B
MD552ef57acdaa153c35594e46bde4fe42c
SHA1c2a5b1748aa61c311b670ef319d92663e3f92b00
SHA25658add3e6d1d91409a9ddd9bb9b7cb173f3ec1162905d907839ab007e43cf2d2a
SHA512defea7dd6200a17dbf0b619e16efb2919dc14199e7f3cb6755b4e5f1fdc8fb2942fa9f7c8c4c19d9026acb0c64a7df0462c7e10685c7482e710e94ed15964209
-
Filesize
126B
MD595f24d2f9121654acd5a1c44e572082b
SHA1ea13b61b35ef396ebe42f09e638a39f13b93fd9b
SHA2562b7b2a1c679a5a0d2465351f35584f1eb6de22160daefb4cba351838f98f155e
SHA512d1eaa0bd0b245f98a03d24197e02096400abea41f5a36905a41c777bedba15194f3de256c12b4f038e38267147986e8b9dd543189fdc6d1788d3c012bc63270d
-
Filesize
90KB
MD54e9060f76c1cb5b54005dc6640a58f0d
SHA104a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA2565b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148
-
Filesize
20KB
MD52a3fa78b5f55b529a2698ad187c80204
SHA1cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab
-
Filesize
40KB
MD5b6914d8e5cb470236eceed8d6f8b4fb7
SHA1cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA25645bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA5121c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7
-
Filesize
1KB
MD52796d0c67f65e653e09763c09db8614d
SHA1ed9a6fa0035d3c549738ce34a0fd7516f48505d1
SHA2562ba36ad25309fe0241e34145a108e1421998623e00f3436874bd2a23a04c200c
SHA5126a2df8c61f99a7de9e8612b53f672400d7836902b0989eb57a409981dd754b2ad4f97ae67232353fa7fa9bcd730b4c0e0bbac544fb9282232f50c057cd44f2c0
-
Filesize
102KB
MD5559f663bde24995370ee037931bc75ce
SHA14d378e5a50895d6759437269af940fd7b9dbbc70
SHA2566d724f0d2bf2e0f062d26371bc539f28fbcbaec71f5349dbca42184bf7b0f00b
SHA512f6ad27362c8f41dbc33a88bad498ca328df2377c0f8dffdb16ead234dfed329df3ecbce70fd317b5b316ae1795f4f6744d957614fc766e55c12bfdd821d6eac1
-
Filesize
4B
MD563a9f0ea7bb98050796b649e85481845
SHA1dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA2564813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA51299adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8
-
Filesize
124KB
MD5ea76ea3a8a20c82b278109c2fabf91e7
SHA1630cd257e04cf8e8244ec33a30edd56601e101ce
SHA256b9b4b9cfc6e10bd72c3ee777bcb7326313c1249e0300741c55c4e175b13eddc3
SHA512b952f3a9ea16fbdef49a7f3a3a9ac875be907f563f71e51ccb5a850ebf6b34c9877eafae1f6d81a40560f1504be1561644a144a2d9a01412ca28c7d4a9654c56
-
Filesize
137B
MD56c8248815b94c1f73a5f58c7b4849555
SHA12a31e87faf6f6215c215e00721378aab29790519
SHA25606abf2118cce4ab763aa92a13a6e4d16a290ad2604bdf4a2c0887f6b7dceb829
SHA512a5310fc014592f8ef2eb2ab93934196b8e57dc295f655b5aaa331353b2abe6f8d380ae167375be02c7907fe8be52be5175f267eab2ad7669df19f61f7b70d8c2
-
Filesize
150KB
MD576ebb0196d42a294b69ef118cbb301d5
SHA161e5ab752d351af1661716bc48c0520f66cd1d1b
SHA256aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759
SHA5128dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818