Analysis Overview
SHA256
5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a
Threat Level: Shows suspicious behavior
The file 66f94654a1494195ce06240feb988738_27_Installer was found to be: Shows suspicious behavior.
Malicious Activity Summary
Queries the macOS version information.
System Checks
AppleScript
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 00:22
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 00:22
Reported
2024-02-23 00:28
Platform
macos-20240214-en
Max time kernel
179s
Max time network
219s
Command Line
Signatures
Queries the macOS version information.
| Description | Indicator | Process | Target |
| N/A | sh -c sw_vers | N/A | N/A |
| N/A | sw_vers | N/A | N/A |
| N/A | sh -c sw_vers | N/A | N/A |
| N/A | sw_vers | N/A | N/A |
System Checks
| Description | Indicator | Process | Target |
| N/A | sh -c "system_profiler SPHardwareDataType" | N/A | N/A |
| N/A | system_profiler SPHardwareDataType | N/A | N/A |
| N/A | sh -c "system_profiler SPHardwareDataType" | N/A | N/A |
| N/A | system_profiler SPHardwareDataType | N/A | N/A |
AppleScript
| Description | Indicator | Process | Target |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" | N/A | N/A |
| N/A | osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" | N/A | N/A |
| N/A | osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/bin/zsh
[/bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/Users/run/66f94654a1494195ce06240feb988738_27_Installer
[/Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/bin/bzip2
[/usr/bin/bzip2 -f /var/log/wifi.log.0]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.bird]
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
[/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/bin/ls
[ls]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
./66f94654a1494195ce06240feb988738_27_Installer
[./66f94654a1494195ce06240feb988738_27_Installer]
/bin/sh
[sh -c system_profiler SPHardwareDataType]
/bin/bash
[sh -c system_profiler SPHardwareDataType]
/usr/sbin/system_profiler
[system_profiler SPHardwareDataType]
/bin/sh
[sh -c system_profiler SPDisplaysDataType]
/bin/bash
[sh -c system_profiler SPDisplaysDataType]
/usr/sbin/system_profiler
[system_profiler SPDisplaysDataType]
/bin/sh
[sh -c sw_vers]
/bin/bash
[sh -c sw_vers]
/usr/bin/sw_vers
[sw_vers]
/bin/sh
[sh -c dscl /Local/Default -authonly run ""]
/bin/bash
[sh -c dscl /Local/Default -authonly run ""]
/usr/bin/dscl
[dscl /Local/Default -authonly run ]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AccountPolicyHelper]
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/sh
[sh -c dscl /Local/Default -authonly run root]
/bin/bash
[sh -c dscl /Local/Default -authonly run root]
/usr/bin/dscl
[dscl /Local/Default -authonly run root]
/bin/sh
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr]
/bin/bash
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr]
/usr/bin/ditto
[ditto -c -k --sequesterRsrc --keepParent /Users/run/1576456586 /Users/run/1576456586.zip --norsrc --noextattr]
/bin/sh
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/bin/bash
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/usr/bin/osascript
[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
/usr/libexec/xpcproxy
[xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E]
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
[/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService]
/bin/ls
[ls]
./66f94654a1494195ce06240feb988738_27_Installer
[./66f94654a1494195ce06240feb988738_27_Installer]
/bin/sh
[sh -c system_profiler SPHardwareDataType]
/bin/bash
[sh -c system_profiler SPHardwareDataType]
/usr/sbin/system_profiler
[system_profiler SPHardwareDataType]
/bin/sh
[sh -c system_profiler SPDisplaysDataType]
/bin/bash
[sh -c system_profiler SPDisplaysDataType]
/usr/sbin/system_profiler
[system_profiler SPDisplaysDataType]
/bin/sh
[sh -c sw_vers]
/bin/bash
[sh -c sw_vers]
/usr/bin/sw_vers
[sw_vers]
/bin/sh
[sh -c dscl /Local/Default -authonly run ""]
/bin/bash
[sh -c dscl /Local/Default -authonly run ""]
/usr/bin/dscl
[dscl /Local/Default -authonly run ]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/bin/sh
[sh -c dscl /Local/Default -authonly run root]
/bin/bash
[sh -c dscl /Local/Default -authonly run root]
/usr/bin/dscl
[dscl /Local/Default -authonly run root]
/bin/sh
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr]
/bin/bash
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr]
/usr/bin/ditto
[ditto -c -k --sequesterRsrc --keepParent /Users/run/1578691917 /Users/run/1578691917.zip --norsrc --noextattr]
/bin/sh
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/bin/bash
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/usr/bin/osascript
[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]
Network
| Country | Destination | Domain | Proto |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | bag-cdn-lb.itunes-apple.com.akadns.net | udp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.91.71.86:443 | a1366.dscapi6.akamai.net | tcp |
| GB | 104.91.71.85:443 | a1366.dscapi6.akamai.net | tcp |
| US | 17.137.170.10:443 | tcp | |
| US | 17.137.170.34:443 | tcp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 52.182.143.208:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 17.253.77.201:80 | valid.apple.com | tcp |
| RU | 5.42.65.55:80 | 5.42.65.55 | tcp |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| RO | 82.78.25.240:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
| GB | 23.44.233.108:443 | help.apple.com | tcp |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | gsp-ssl.ls.apple.com | udp |
| GB | 17.253.29.220:443 | gsp-ssl.ls.apple.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | b._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| US | 8.8.8.8:53 | db._dns-sd._udp.0.0.127.10.in-addr.arpa | udp |
| RU | 5.42.65.55:80 | 5.42.65.55 | tcp |
Files
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 520bb9b65b89f03050030e5a985b9cd1 |
| SHA1 | 91defba6d4540d4c8ede177730d104d747e8f57b |
| SHA256 | 6bb23965fd46b9ffe67a1cdb2144943543894e063c05db3a4de54e94b84968a0 |
| SHA512 | 81eebb3eda761a9ecc94aa9564deab4d476522d94025ec19e002e91b12b7fbf2bffda23e7c393c09cb91b6ecd953ec1bf39ef5f787058b70289a5a5d777f0cf6 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1168.xml
| MD5 | 76ebb0196d42a294b69ef118cbb301d5 |
| SHA1 | 61e5ab752d351af1661716bc48c0520f66cd1d1b |
| SHA256 | aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759 |
| SHA512 | 8dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | ea76ea3a8a20c82b278109c2fabf91e7 |
| SHA1 | 630cd257e04cf8e8244ec33a30edd56601e101ce |
| SHA256 | b9b4b9cfc6e10bd72c3ee777bcb7326313c1249e0300741c55c4e175b13eddc3 |
| SHA512 | b952f3a9ea16fbdef49a7f3a3a9ac875be907f563f71e51ccb5a850ebf6b34c9877eafae1f6d81a40560f1504be1561644a144a2d9a01412ca28c7d4a9654c56 |
/Users/run/./1576456586/password-entered
| MD5 | 63a9f0ea7bb98050796b649e85481845 |
| SHA1 | dc76e9f0c0006e8f919e0c515c66dbba3982f785 |
| SHA256 | 4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2 |
| SHA512 | 99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8 |
/Users/run/./1576456586/Sysinfo.txt
| MD5 | 2796d0c67f65e653e09763c09db8614d |
| SHA1 | ed9a6fa0035d3c549738ce34a0fd7516f48505d1 |
| SHA256 | 2ba36ad25309fe0241e34145a108e1421998623e00f3436874bd2a23a04c200c |
| SHA512 | 6a2df8c61f99a7de9e8612b53f672400d7836902b0989eb57a409981dd754b2ad4f97ae67232353fa7fa9bcd730b4c0e0bbac544fb9282232f50c057cd44f2c0 |
/Users/run/./1576456586/Chromium/Chrome/Password1
| MD5 | b6914d8e5cb470236eceed8d6f8b4fb7 |
| SHA1 | cdff8880e9fa7630fc8d57af4669365b5ab29b60 |
| SHA256 | 45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1 |
| SHA512 | 1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7 |
/Users/run/./1576456586/Chromium/Chrome/Cookies2
| MD5 | 2a3fa78b5f55b529a2698ad187c80204 |
| SHA1 | cbbda35512038de511ac23b0aed12e9e86bcc796 |
| SHA256 | d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b |
| SHA512 | e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab |
/Users/run/./1576456586/Chromium/Chrome/Autofill0
| MD5 | 4e9060f76c1cb5b54005dc6640a58f0d |
| SHA1 | 04a1e6791ae55612d9b63f23ccb37eec398b3d27 |
| SHA256 | 5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3 |
| SHA512 | be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148 |
/Users/run/./1576456586/login-keychain
| MD5 | 559f663bde24995370ee037931bc75ce |
| SHA1 | 4d378e5a50895d6759437269af940fd7b9dbbc70 |
| SHA256 | 6d724f0d2bf2e0f062d26371bc539f28fbcbaec71f5349dbca42184bf7b0f00b |
| SHA512 | f6ad27362c8f41dbc33a88bad498ca328df2377c0f8dffdb16ead234dfed329df3ecbce70fd317b5b316ae1795f4f6744d957614fc766e55c12bfdd821d6eac1 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 52ef57acdaa153c35594e46bde4fe42c |
| SHA1 | c2a5b1748aa61c311b670ef319d92663e3f92b00 |
| SHA256 | 58add3e6d1d91409a9ddd9bb9b7cb173f3ec1162905d907839ab007e43cf2d2a |
| SHA512 | defea7dd6200a17dbf0b619e16efb2919dc14199e7f3cb6755b4e5f1fdc8fb2942fa9f7c8c4c19d9026acb0c64a7df0462c7e10685c7482e710e94ed15964209 |
/Users/run/Library/Caches/GeoServices/Experiments.pbd
| MD5 | 6c8248815b94c1f73a5f58c7b4849555 |
| SHA1 | 2a31e87faf6f6215c215e00721378aab29790519 |
| SHA256 | 06abf2118cce4ab763aa92a13a6e4d16a290ad2604bdf4a2c0887f6b7dceb829 |
| SHA512 | a5310fc014592f8ef2eb2ab93934196b8e57dc295f655b5aaa331353b2abe6f8d380ae167375be02c7907fe8be52be5175f267eab2ad7669df19f61f7b70d8c2 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 95f24d2f9121654acd5a1c44e572082b |
| SHA1 | ea13b61b35ef396ebe42f09e638a39f13b93fd9b |
| SHA256 | 2b7b2a1c679a5a0d2465351f35584f1eb6de22160daefb4cba351838f98f155e |
| SHA512 | d1eaa0bd0b245f98a03d24197e02096400abea41f5a36905a41c777bedba15194f3de256c12b4f038e38267147986e8b9dd543189fdc6d1788d3c012bc63270d |