Analysis Overview
SHA256
5b55f2422e6b6d7ff2f74ba998eea04d0d67272869f53cf9b273026694762a9a
Threat Level: Shows suspicious behavior
The file 66f94654a1494195ce06240feb988738_27_Installer was found to be: Shows suspicious behavior.
Malicious Activity Summary
System Checks
Queries the macOS version information.
AppleScript
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 13:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 13:31
Reported
2024-02-23 13:32
Platform
macos-20240214-en
Max time kernel
47s
Max time network
52s
Command Line
Signatures
Queries the macOS version information.
| Description | Indicator | Process | Target |
| N/A | sh -c sw_vers | N/A | N/A |
| N/A | sw_vers | N/A | N/A |
System Checks
| Description | Indicator | Process | Target |
| N/A | sh -c "system_profiler SPHardwareDataType" | N/A | N/A |
| N/A | system_profiler SPHardwareDataType | N/A | N/A |
AppleScript
| Description | Indicator | Process | Target |
| N/A | osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop'" | N/A | N/A |
| N/A | osascript -e "display dialog \"Some error occurred while running the application.\" buttons {\"OK\"} default button 1 with icon stop" | N/A | N/A |
| N/A | sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'" | N/A | N/A |
Processes
/usr/libexec/xpcproxy
[xpcproxy com.apple.pluginkit.pkd]
/usr/libexec/pkd
[/usr/libexec/pkd]
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/66f94654a1494195ce06240feb988738_27_Installer"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/bin/zsh
[/bin/zsh -c /Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/Users/run/66f94654a1494195ce06240feb988738_27_Installer
[/Users/run/66f94654a1494195ce06240feb988738_27_Installer]
/usr/libexec/xpcproxy
[xpcproxy com.apple.sysmond]
/usr/libexec/sysmond
[/usr/libexec/sysmond]
./66f94654a1494195ce06240feb988738_27_Installer
[./66f94654a1494195ce06240feb988738_27_Installer]
/bin/sh
[sh -c system_profiler SPHardwareDataType]
/bin/bash
[sh -c system_profiler SPHardwareDataType]
/usr/sbin/system_profiler
[system_profiler SPHardwareDataType]
/bin/sh
[sh -c system_profiler SPDisplaysDataType]
/bin/bash
[sh -c system_profiler SPDisplaysDataType]
/usr/sbin/system_profiler
[system_profiler SPDisplaysDataType]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.systemsoundserverd]
/usr/sbin/systemsoundserverd
[/usr/sbin/systemsoundserverd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/usr/libexec/xpcproxy
[xpcproxy com.apple.audio.AudioComponentRegistrar]
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
[/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon]
/bin/sh
[sh -c sw_vers]
/bin/bash
[sh -c sw_vers]
/usr/bin/sw_vers
[sw_vers]
/bin/sh
[sh -c dscl /Local/Default -authonly run ""]
/bin/bash
[sh -c dscl /Local/Default -authonly run ""]
/usr/bin/dscl
[dscl /Local/Default -authonly run ]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AccountPolicyHelper]
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
[/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper]
/bin/sh
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/bin/bash
[sh -c osascript -e 'display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer']
/usr/bin/osascript
[osascript -e display dialog "To launch the application, you need to update the system settings \n\nPlease enter your password." with title "System Preferences" with icon caution default answer "" giving up after 30 with hidden answer]
/usr/bin/pluginkit
[/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater4B941C11/OneDrive.app]
/bin/sh
[sh -c dscl /Local/Default -authonly run root]
/bin/bash
[sh -c dscl /Local/Default -authonly run root]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputMenuAgent]
/usr/bin/dscl
[dscl /Local/Default -authonly run root]
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
[/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.TextInputSwitcher]
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
[/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher]
/bin/sh
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]
/bin/bash
[sh -c ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]
/usr/bin/ditto
[ditto -c -k --sequesterRsrc --keepParent /Users/run/223204531 /Users/run/223204531.zip --norsrc --noextattr]
/bin/sh
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/bin/bash
[sh -c osascript -e 'display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop']
/usr/bin/osascript
[osascript -e display dialog "Some error occurred while running the application." buttons {"OK"} default button 1 with icon stop]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.cfprefsd.xpc.agent]
/usr/sbin/cfprefsd
[/usr/sbin/cfprefsd agent]
/usr/libexec/xpcproxy
[xpcproxy com.apple.ReportMemoryException]
/usr/libexec/ReportMemoryException
[/usr/libexec/ReportMemoryException]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 35-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | 7-courier.push.apple.com | udp |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.42.72.131:443 | tcp | |
| US | 8.8.8.8:53 | 29-courier.push.apple.com | udp |
| RU | 5.42.65.55:80 | 5.42.65.55 | tcp |
| US | 8.8.8.8:53 | apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | 25-courier.push.apple.com | udp |
| GB | 17.57.146.12:5223 | 25-courier.push.apple.com | tcp |
| US | 8.8.8.8:53 | a1366.dscapi6.akamai.net | udp |
| GB | 23.200.147.24:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| GB | 104.91.71.86:443 | a1366.dscapi6.akamai.net | tcp |
| US | 8.8.8.8:53 | 5.courier-push-apple.com.akadns.net | udp |
Files
/Users/run/./223204531/password-entered
| MD5 | 63a9f0ea7bb98050796b649e85481845 |
| SHA1 | dc76e9f0c0006e8f919e0c515c66dbba3982f785 |
| SHA256 | 4813494d137e1631bba301d5acab6e7bb7aa74ce1185d456565ef51d737677b2 |
| SHA512 | 99adc231b045331e514a516b4b7680f588e3823213abe901738bc3ad67b2f6fcb3c64efb93d18002588d3ccc1a49efbae1ce20cb43df36b38651f11fa75678e8 |
/Users/run/./223204531/Sysinfo.txt
| MD5 | 2796d0c67f65e653e09763c09db8614d |
| SHA1 | ed9a6fa0035d3c549738ce34a0fd7516f48505d1 |
| SHA256 | 2ba36ad25309fe0241e34145a108e1421998623e00f3436874bd2a23a04c200c |
| SHA512 | 6a2df8c61f99a7de9e8612b53f672400d7836902b0989eb57a409981dd754b2ad4f97ae67232353fa7fa9bcd730b4c0e0bbac544fb9282232f50c057cd44f2c0 |
/Users/run/./223204531/Chromium/Chrome/Password1
| MD5 | b6914d8e5cb470236eceed8d6f8b4fb7 |
| SHA1 | cdff8880e9fa7630fc8d57af4669365b5ab29b60 |
| SHA256 | 45bda2415419c24d2526ae60cae5ee1d66bc8d2cc986bb9e94c0f3c414af06c1 |
| SHA512 | 1c491cfeb2b883ed20a43e16d7bf620520f4b770c8727ffb83e02554aa6aa54def4732460bcff82014050f7a1fba38e01f5570cacfbfcef6da6f2f795dc56ee7 |
/Users/run/./223204531/Chromium/Chrome/Cookies2
| MD5 | 2a3fa78b5f55b529a2698ad187c80204 |
| SHA1 | cbbda35512038de511ac23b0aed12e9e86bcc796 |
| SHA256 | d52ad17cc5096119732f06311ef2e25005c2a00f551c9684e2d655cbc846455b |
| SHA512 | e9b113ec0c6a888e059cf625b0bfb128d11a55970fed12df30848c9f836c5f36b2660abb4e2a820e7dedd6f0ead312edec1c6cd645f14091d98b42f696bda9ab |
/Users/run/./223204531/Chromium/Chrome/Autofill0
| MD5 | 4e9060f76c1cb5b54005dc6640a58f0d |
| SHA1 | 04a1e6791ae55612d9b63f23ccb37eec398b3d27 |
| SHA256 | 5b6dd3116e1d3ecbf6d07ecfc03f1537ab00ce91336cc7c6cddda6df0c9984d3 |
| SHA512 | be921e02bb810fb867c1de3e3c2a9c3b04c84188d6a9eae60b73558bd4748c1451161da8fba2c8e74f225be4b8a6f0e98276fe1e397b0083fcbbd4ebdf32e148 |
/Users/run/./223204531/login-keychain
| MD5 | 2681e2a846c5b2d5efb01a53a406732c |
| SHA1 | 735a5a4ca2bac087a35d76377878bce2015042a8 |
| SHA256 | f4487ee4085b2c8c030a49b437b80987f1e82856bcecfcab184e37f0419c0594 |
| SHA512 | b786cf59b8d2dd47a959fcef3e5fb2f348030641beb825e51cbd650c00453bc8812a9f5e8507f88099e3d3080a4da7633f1faa4f4b8a4cc6c3a8c275c7fb5c31 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |