Malware Analysis Report

2025-08-05 09:29

Sample ID 240223-qsf4jshb63
Target 66f94654a1494195ce06240feb988738_27_Installer
SHA256 5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a
Tags
discovery evasion execution
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a

Threat Level: Shows suspicious behavior

The file 66f94654a1494195ce06240feb988738_27_Installer was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion execution

System Checks

Queries the macOS version information.

AppleScript

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-23 13:31

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-23 13:31

Reported

2024-02-23 13:32

Platform

macos-20240214-en

Max time kernel

47s

Max time network

52s

Command Line

[xpcproxy com.apple.pluginkit.pkd]

Signatures

Queries the macOS version information.

discovery
Description Indicator Process Target
N/A sh -c sw_vers N/A N/A
N/A sw_vers N/A N/A

System Checks

evasion
Description Indicator Process Target
N/A sh -c "system_profiler SPHardwareDataType" N/A N/A
N/A system_profiler SPHardwareDataType N/A N/A

AppleScript

execution
Description Indicator Process Target
N/A osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" N/A N/A
N/A sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" N/A N/A
N/A osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" N/A N/A
N/A sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" N/A N/A

Processes

/usr/libexec/xpcproxy

[xpcproxy com.apple.pluginkit.pkd]

/usr/libexec/pkd

[/usr/libexec/pkd]

/bin/sh

[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]

/bin/bash

[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]

/usr/bin/sudo

[sudo /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]

/bin/zsh

[/bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]

/Users/run/66f94654a1494195ce06240feb988738_27_Installer

[/Users/run/66f94654a1494195ce06240feb988738_27_Installer]

/usr/libexec/xpcproxy

[xpcproxy com.apple.sysmond]

/usr/libexec/sysmond

[/usr/libexec/sysmond]

./66f94654a1494195ce06240feb988738_27_Installer

[./66f94654a1494195ce06240feb988738_27_Installer]

/bin/sh

[sh -c system_profiler SPHardwareDataType]

/bin/bash

[sh -c system_profiler SPHardwareDataType]

/usr/sbin/system_profiler

[system_profiler SPHardwareDataType]

/bin/sh

[sh -c system_profiler SPDisplaysDataType]

/bin/bash

[sh -c system_profiler SPDisplaysDataType]

/usr/sbin/system_profiler

[system_profiler SPDisplaysDataType]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.systemsoundserverd]

/usr/sbin/systemsoundserverd

[/usr/sbin/systemsoundserverd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.pbs]

/System/Library/CoreServices/pbs

[/System/Library/CoreServices/pbs]

/usr/libexec/xpcproxy

[xpcproxy com.apple.audio.AudioComponentRegistrar]

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar

[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]

/bin/sh

[sh -c sw_vers]

/bin/bash

[sh -c sw_vers]

/usr/bin/sw_vers

[sw_vers]

/bin/sh

[sh -c dscl /Local/Default -authonly run ""]

/bin/bash

[sh -c dscl /Local/Default -authonly run ""]

/usr/bin/dscl

[dscl /Local/Default -authonly run ]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AccountPolicyHelper]

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper

[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]

/bin/sh

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/bin/bash

[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']

/usr/bin/osascript

[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]

/usr/bin/pluginkit

[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]

/usr/sbin/spctl

[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app]

/bin/sh

[sh -c dscl /Local/Default -authonly run root]

/bin/bash

[sh -c dscl /Local/Default -authonly run root]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputMenuAgent]

/usr/bin/dscl

[dscl /Local/Default -authonly run root]

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent

[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.TextInputSwitcher]

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher

[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]

/bin/sh

[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]

/bin/bash

[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]

/usr/bin/ditto

[ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]

/bin/sh

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/bin/bash

[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']

/usr/bin/osascript

[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]

/usr/libexec/xpcproxy

[xpcproxy com.apple.nehelper]

/usr/libexec/nehelper

[/usr/libexec/nehelper]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.geod]

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod

[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]

/usr/libexec/xpcproxy

[xpcproxy com.apple.secinitd]

/usr/libexec/secinitd

[/usr/libexec/secinitd]

/usr/libexec/xpcproxy

[xpcproxy com.apple.cfprefsd.xpc.agent]

/usr/sbin/cfprefsd

[/usr/sbin/cfprefsd agent]

/usr/libexec/xpcproxy

[xpcproxy com.apple.ReportMemoryException]

/usr/libexec/ReportMemoryException

[/usr/libexec/ReportMemoryException]

/usr/libexec/xpcproxy

[xpcproxy com.apple.AddressBook.ContactsAccountsService]

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService

[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]

Network

Country Destination Domain Proto
US 8.8.8.8:53 35-courier.push.apple.com udp
US 8.8.8.8:53 7-courier.push.apple.com udp
US 8.8.8.8:53 mobile.events.data.trafficmanager.net udp
US 20.42.72.131:443 tcp
US 8.8.8.8:53 29-courier.push.apple.com udp
RU 5.42.65.55:80 5.42.65.55 tcp
US 8.8.8.8:53 apis.apple.map.fastly.net udp
US 8.8.8.8:53 25-courier.push.apple.com udp
GB 17.57.146.12:5223 25-courier.push.apple.com tcp
US 8.8.8.8:53 a1366.dscapi6.akamai.net udp
GB 23.200.147.24:443 tcp
US 8.8.8.8:53 e4686.dsce9.akamaiedge.net udp
GB 104.91.71.86:443 a1366.dscapi6.akamai.net tcp
US 8.8.8.8:53 5.courier-push-apple.com.akadns.net udp

Files

/Users/run/./223204531/password-entered

MD5 63a9f0ea7bb98050796b649e85481845
SHA1 dc76e9f0c0006e8f919e0c515c66dbba3982f785
SHA256 4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2
SHA512 99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8

/Users/run/./223204531/Sysinfo.txt

MD5 2796d0c67f65e653e09763c09db8614d
SHA1 ed9a6fa0035d3c549738ce34a0fd7516f48505d1
SHA256 2ba36ad25309fe0241e34145a108e1421998623e00f3436874bd2a23a04c200c
SHA512 6a2df8c61f99a7de9e8612b53f672400d7836902b0989eb57a409981dd754b2ad4f97ae67232353fa7fa9bcd730b4c0e0bbac544fb9282232f50c057cd44f2c0

/Users/run/./223204531/Chromium/Chrome/Password1

MD5 b6914d8e5cb470236eceed8d6f8b4fb7
SHA1 cdff8880e9fa7630fc8d57af4669365b5ab29b60
SHA256 45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1
SHA512 1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7

/Users/run/./223204531/Chromium/Chrome/Cookies2

MD5 2a3fa78b5f55b529a2698ad187c80204
SHA1 cbbda35512038de511ac23b0aed12e9e86bcc796
SHA256 d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b
SHA512 e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab

/Users/run/./223204531/Chromium/Chrome/Autofill0

MD5 4e9060f76c1cb5b54005dc6640a58f0d
SHA1 04a1e6791ae55612d9b63f23ccb37eec398b3d27
SHA256 5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3
SHA512 be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148

/Users/run/./223204531/login-keychain

MD5 2681e2a846c5b2d5efb01a53a406732c
SHA1 735a5a4ca2bac087a35d76377878bce2015042a8
SHA256 f4487ee4085b2c8c030a49b437b80987f1e82856bcecfcab184e37f0419c0594
SHA512 b786cf59b8d2dd47a959fcef3e5fb2f348030641beb825e51cbd650c00453bc8812a9f5e8507f88099e3d3080a4da7633f1faa4f4b8a4cc6c3a8c275c7fb5c31

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db

MD5 d3a1859e6ec593505cc882e6def48fc8
SHA1 f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA256 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512 ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db

MD5 0e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256 cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA512 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20