Resubmissions

23/02/2024, 13:31

240223-qsf4jshb63 7

23/02/2024, 00:22

240223-an8d8shc85 7

Analysis

  • max time kernel
    47s
  • max time network
    52s
  • platform
    macos-10.15_amd64
  • resource
    macos-20240214-en
  • resource tags

    arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    23/02/2024, 13:31

General

  • Target

    66f94654a1494195ce06240feb988738_27_Installer

  • Size

    374KB

  • MD5

    66f94654a1494195ce06240feb988738

  • SHA1

    247182be589a95b79697367e971448c44b6e1ddb

  • SHA256

    5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a

  • SHA512

    8c0516516988d76677962089d3237ec4b674b7b06ba104de80919d23fafd5818abe2a8b8b59da4af41aacd141029f4d30a02a8ef1c00e58f6fc299c6cef1707e

  • SSDEEP

    6144:u6i0jQmEEB1kYewqQOrlaGdjAFzoSOIwhKdja0QhJ:uJFmz1kvDjAr4

Malware Config

Signatures

  • Queries the macOS version information. 1 TTPs 2 IoCs
  • System Checks 1 TTPs 2 IoCs
  • AppleScript 1 TTPs 4 IoCs

Processes

  • /usr/libexec/xpcproxy
    xpcproxy com.apple.pluginkit.pkd
    1⤵
      PID:533
    • /usr/libexec/pkd
      /usr/libexec/pkd
      1⤵
        PID:533
      • /bin/sh
        sh -c "sudo /bin/zsh -c \"/Users/run/66f94654a1494195ce06240feb988738_27_Installer\""
        1⤵
          PID:536
        • /bin/bash
          sh -c "sudo /bin/zsh -c \"/Users/run/66f94654a1494195ce06240feb988738_27_Installer\""
          1⤵
            PID:536
          • /usr/bin/sudo
            sudo /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer
            1⤵
              PID:536
              • /bin/zsh
                /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer
                2⤵
                  PID:537
                • /Users/run/66f94654a1494195ce06240feb988738_27_Installer
                  /Users/run/66f94654a1494195ce06240feb988738_27_Installer
                  2⤵
                    PID:537
                • /usr/libexec/xpcproxy
                  xpcproxy com.apple.sysmond
                  1⤵
                    PID:542
                  • /usr/libexec/sysmond
                    /usr/libexec/sysmond
                    1⤵
                      PID:542
                    • ./66f94654a1494195ce06240feb988738_27_Installer
                      ./66f94654a1494195ce06240feb988738_27_Installer
                      1⤵
                        PID:544
                      • /bin/sh
                        sh -c "system_profiler SPHardwareDataType"
                        1⤵
                          PID:545
                        • /bin/bash
                          sh -c "system_profiler SPHardwareDataType"
                          1⤵
                            PID:545
                          • /usr/sbin/system_profiler
                            system_profiler SPHardwareDataType
                            1⤵
                              PID:545
                            • /bin/sh
                              sh -c "system_profiler SPDisplaysDataType"
                              1⤵
                                PID:547
                              • /bin/bash
                                sh -c "system_profiler SPDisplaysDataType"
                                1⤵
                                  PID:547
                                • /usr/sbin/system_profiler
                                  system_profiler SPDisplaysDataType
                                  1⤵
                                    PID:547
                                  • /usr/libexec/xpcproxy
                                    xpcproxy com.apple.audio.systemsoundserverd
                                    1⤵
                                      PID:549
                                    • /usr/sbin/systemsoundserverd
                                      /usr/sbin/systemsoundserverd
                                      1⤵
                                        PID:549
                                      • /usr/libexec/xpcproxy
                                        xpcproxy com.apple.pbs
                                        1⤵
                                          PID:550
                                        • /System/Library/CoreServices/pbs
                                          /System/Library/CoreServices/pbs
                                          1⤵
                                            PID:550
                                          • /usr/libexec/xpcproxy
                                            xpcproxy com.apple.audio.AudioComponentRegistrar
                                            1⤵
                                              PID:551
                                            • /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
                                              /System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
                                              1⤵
                                                PID:551
                                              • /bin/sh
                                                sh -c sw_vers
                                                1⤵
                                                  PID:552
                                                • /bin/bash
                                                  sh -c sw_vers
                                                  1⤵
                                                    PID:552
                                                  • /usr/bin/sw_vers
                                                    sw_vers
                                                    1⤵
                                                      PID:552
                                                    • /bin/sh
                                                      sh -c "dscl /Local/Default -authonly run \"\""
                                                      1⤵
                                                        PID:553
                                                      • /bin/bash
                                                        sh -c "dscl /Local/Default -authonly run \"\""
                                                        1⤵
                                                          PID:553
                                                        • /usr/bin/dscl
                                                          dscl /Local/Default -authonly run
                                                          1⤵
                                                            PID:553
                                                          • /usr/libexec/xpcproxy
                                                            xpcproxy com.apple.AccountPolicyHelper
                                                            1⤵
                                                              PID:554
                                                            • /System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
                                                              /System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
                                                              1⤵
                                                                PID:554
                                                              • /bin/sh
                                                                sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
                                                                1⤵
                                                                  PID:555
                                                                • /bin/bash
                                                                  sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
                                                                  1⤵
                                                                    PID:555
                                                                  • /usr/bin/osascript
                                                                    osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
                                                                    1⤵
                                                                      PID:555
                                                                    • /usr/bin/pluginkit
                                                                      /usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
                                                                      1⤵
                                                                        PID:556
                                                                      • /usr/sbin/spctl
                                                                        /usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app
                                                                        1⤵
                                                                          PID:557
                                                                        • /bin/sh
                                                                          sh -c "dscl /Local/Default -authonly run root"
                                                                          1⤵
                                                                            PID:579
                                                                          • /bin/bash
                                                                            sh -c "dscl /Local/Default -authonly run root"
                                                                            1⤵
                                                                              PID:579
                                                                            • /usr/libexec/xpcproxy
                                                                              xpcproxy com.apple.TextInputMenuAgent
                                                                              1⤵
                                                                                PID:580
                                                                              • /usr/bin/dscl
                                                                                dscl /Local/Default -authonly run root
                                                                                1⤵
                                                                                  PID:579
                                                                                • /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                                                                  /System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
                                                                                  1⤵
                                                                                    PID:580
                                                                                  • /usr/libexec/xpcproxy
                                                                                    xpcproxy com.apple.TextInputSwitcher
                                                                                    1⤵
                                                                                      PID:581
                                                                                    • /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                                                                      /System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
                                                                                      1⤵
                                                                                        PID:581
                                                                                      • /bin/sh
                                                                                        sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr"
                                                                                        1⤵
                                                                                          PID:582
                                                                                        • /bin/bash
                                                                                          sh -c "ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr"
                                                                                          1⤵
                                                                                            PID:582
                                                                                          • /usr/bin/ditto
                                                                                            ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr
                                                                                            1⤵
                                                                                              PID:582
                                                                                            • /bin/sh
                                                                                              sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
                                                                                              1⤵
                                                                                                PID:583
                                                                                              • /bin/bash
                                                                                                sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'"
                                                                                                1⤵
                                                                                                  PID:583
                                                                                                • /usr/bin/osascript
                                                                                                  osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop"
                                                                                                  1⤵
                                                                                                    PID:583
                                                                                                  • /usr/libexec/xpcproxy
                                                                                                    xpcproxy com.apple.nehelper
                                                                                                    1⤵
                                                                                                      PID:584
                                                                                                    • /usr/libexec/nehelper
                                                                                                      /usr/libexec/nehelper
                                                                                                      1⤵
                                                                                                        PID:584
                                                                                                      • /usr/libexec/xpcproxy
                                                                                                        xpcproxy com.apple.geod
                                                                                                        1⤵
                                                                                                          PID:602
                                                                                                        • /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                                                                          /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                                                                          1⤵
                                                                                                            PID:602
                                                                                                          • /usr/libexec/xpcproxy
                                                                                                            xpcproxy com.apple.geod
                                                                                                            1⤵
                                                                                                              PID:603
                                                                                                            • /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                                                                              /System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
                                                                                                              1⤵
                                                                                                                PID:603
                                                                                                              • /usr/libexec/xpcproxy
                                                                                                                xpcproxy com.apple.secinitd
                                                                                                                1⤵
                                                                                                                  PID:604
                                                                                                                • /usr/libexec/secinitd
                                                                                                                  /usr/libexec/secinitd
                                                                                                                  1⤵
                                                                                                                    PID:604
                                                                                                                  • /usr/libexec/xpcproxy
                                                                                                                    xpcproxy com.apple.cfprefsd.xpc.agent
                                                                                                                    1⤵
                                                                                                                      PID:605
                                                                                                                    • /usr/sbin/cfprefsd
                                                                                                                      /usr/sbin/cfprefsd agent
                                                                                                                      1⤵
                                                                                                                        PID:605
                                                                                                                      • /usr/libexec/xpcproxy
                                                                                                                        xpcproxy com.apple.ReportMemoryException
                                                                                                                        1⤵
                                                                                                                          PID:607
                                                                                                                        • /usr/libexec/ReportMemoryException
                                                                                                                          /usr/libexec/ReportMemoryException
                                                                                                                          1⤵
                                                                                                                            PID:607
                                                                                                                          • /usr/libexec/xpcproxy
                                                                                                                            xpcproxy com.apple.AddressBook.ContactsAccountsService
                                                                                                                            1⤵
                                                                                                                              PID:609
                                                                                                                            • /System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
                                                                                                                              /System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
                                                                                                                              1⤵
                                                                                                                                PID:609

                                                                                                                              Network

                                                                                                                                    MITRE ATT&CK Enterprise v15

                                                                                                                                    Replay Monitor

                                                                                                                                    Loading Replay Monitor...

                                                                                                                                    Downloads

                                                                                                                                    • /Users/run/./223204531/Chromium/Chrome/Autofill0

                                                                                                                                      Filesize

                                                                                                                                      90KB

                                                                                                                                      MD5

                                                                                                                                      4e9060f76c1cb5b54005dc6640a58f0d

                                                                                                                                      SHA1

                                                                                                                                      04a1e6791ae55612d9b63f23ccb37eec398b3d27

                                                                                                                                      SHA256

                                                                                                                                      5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3

                                                                                                                                      SHA512

                                                                                                                                      be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

                                                                                                                                    • /Users/run/./223204531/Chromium/Chrome/Cookies2

                                                                                                                                      Filesize

                                                                                                                                      20KB

                                                                                                                                      MD5

                                                                                                                                      2a3fa78b5f55b529a2698ad187c80204

                                                                                                                                      SHA1

                                                                                                                                      cbbda35512038de511ac23b0aed12e9e86bcc796

                                                                                                                                      SHA256

                                                                                                                                      d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b

                                                                                                                                      SHA512

                                                                                                                                      e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

                                                                                                                                    • /Users/run/./223204531/Chromium/Chrome/Password1

                                                                                                                                      Filesize

                                                                                                                                      40KB

                                                                                                                                      MD5

                                                                                                                                      b6914d8e5cb470236eceed8d6f8b4fb7

                                                                                                                                      SHA1

                                                                                                                                      cdff8880e9fa7630fc8d57af4669365b5ab29b60

                                                                                                                                      SHA256

                                                                                                                                      45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1

                                                                                                                                      SHA512

                                                                                                                                      1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

                                                                                                                                    • /Users/run/./223204531/Sysinfo.txt

                                                                                                                                      Filesize

                                                                                                                                      1KB

                                                                                                                                      MD5

                                                                                                                                      2796d0c67f65e653e09763c09db8614d

                                                                                                                                      SHA1

                                                                                                                                      ed9a6fa0035d3c549738ce34a0fd7516f48505d1

                                                                                                                                      SHA256

                                                                                                                                      2ba36ad25309fe0241e34145a108e1421998623e00f3436874bd2a23a04c200c

                                                                                                                                      SHA512

                                                                                                                                      6a2df8c61f99a7de9e8612b53f672400d7836902b0989eb57a409981dd754b2ad4f97ae67232353fa7fa9bcd730b4c0e0bbac544fb9282232f50c057cd44f2c0

                                                                                                                                    • /Users/run/./223204531/login-keychain

                                                                                                                                      Filesize

                                                                                                                                      102KB

                                                                                                                                      MD5

                                                                                                                                      2681e2a846c5b2d5efb01a53a406732c

                                                                                                                                      SHA1

                                                                                                                                      735a5a4ca2bac087a35d76377878bce2015042a8

                                                                                                                                      SHA256

                                                                                                                                      f4487ee4085b2c8c030a49b437b80987f1e82856bcecfcab184e37f0419c0594

                                                                                                                                      SHA512

                                                                                                                                      b786cf59b8d2dd47a959fcef3e5fb2f348030641beb825e51cbd650c00453bc8812a9f5e8507f88099e3d3080a4da7633f1faa4f4b8a4cc6c3a8c275c7fb5c31

                                                                                                                                    • /Users/run/./223204531/password-entered

                                                                                                                                      Filesize

                                                                                                                                      4B

                                                                                                                                      MD5

                                                                                                                                      63a9f0ea7bb98050796b649e85481845

                                                                                                                                      SHA1

                                                                                                                                      dc76e9f0c0006e8f919e0c515c66dbba3982f785

                                                                                                                                      SHA256

                                                                                                                                      4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2

                                                                                                                                      SHA512

                                                                                                                                      99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

                                                                                                                                    • /var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

                                                                                                                                      Filesize

                                                                                                                                      47KB

                                                                                                                                      MD5

                                                                                                                                      0e4a0d1ceb2af6f0f8d0167ce77be2d3

                                                                                                                                      SHA1

                                                                                                                                      414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

                                                                                                                                      SHA256

                                                                                                                                      cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

                                                                                                                                      SHA512

                                                                                                                                      1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

                                                                                                                                    • /var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

                                                                                                                                      Filesize

                                                                                                                                      4KB

                                                                                                                                      MD5

                                                                                                                                      d3a1859e6ec593505cc882e6def48fc8

                                                                                                                                      SHA1

                                                                                                                                      f8e6728e3e9de477a75706faa95cead9ce13cb32

                                                                                                                                      SHA256

                                                                                                                                      3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

                                                                                                                                      SHA512

                                                                                                                                      ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818