Analysis
-
max time kernel
147s -
max time network
157s -
platform
macos-10.15_amd64 -
resource
macos-20240214-en -
resource tags
arch:amd64arch:i386image:macos-20240214-enkernel:19b77alocale:en-usos:macos-10.15-amd64system -
submitted
23-02-2024 19:43
Static task
static1
Behavioral task
behavioral1
Sample
ICQLiteShell.dll
Resource
macos-20240214-en
Behavioral task
behavioral2
Sample
ICQRT.dll
Resource
macos-20240214-en
Behavioral task
behavioral3
Sample
Language/WinRar.exe
Resource
macos-20240214-en
Behavioral task
behavioral4
Sample
LiteRes.dll
Resource
macos-20240214-en
Behavioral task
behavioral5
Sample
LiteSkinUtils.dll
Resource
macos-20240214-en
Behavioral task
behavioral6
Sample
setup.exe
Resource
macos-20240214-en
General
-
Target
ICQRT.dll
-
Size
32KB
-
MD5
1aedcb8994d6ad63ef9dcb87016e028f
-
SHA1
f5b891aa15c6353b681bdb7e2d96c6ac8a5f02d7
-
SHA256
53e1f40144bab532f9700ff25ec3d5c6a39784a98e17fada583b4ee6d9dd5dbc
-
SHA512
89c0f408797c4d78afc52335a9e162345c614e1e419f55487cb358c14f7a69ec82138a7e6250be3133233386ba3659d241e80ab63c9b972b6c8b26b0424cb0c8
-
SSDEEP
384:+qtTeds1tkMAp4TxCW9su5UcSu93ggoXUQQIPGEANHl:FTedukelF95RjQUUPpANHl
Malware Config
Signatures
-
Resource Forking 1 TTPs 2 IoCs
Processes:
ioc process /System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
Processes
-
/bin/shsh -c "sudo /bin/zsh -c \"/Users/run/ICQRT.dll\""1⤵PID:544
-
/bin/bashsh -c "sudo /bin/zsh -c \"/Users/run/ICQRT.dll\""1⤵PID:544
-
/usr/bin/sudosudo /bin/zsh -c /Users/run/ICQRT.dll1⤵PID:544
-
/bin/zsh/bin/zsh -c /Users/run/ICQRT.dll2⤵PID:545
-
/Users/run/ICQRT.dll/Users/run/ICQRT.dll2⤵PID:545
-
/usr/libexec/xpcproxyxpcproxy com.apple.sysmond1⤵PID:547
-
/usr/libexec/sysmond/usr/libexec/sysmond1⤵PID:547
-
/usr/bin/pluginkit/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync1⤵PID:565
-
/usr/sbin/spctl/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterDA6CE80A/OneDrive.app1⤵PID:566
-
/usr/libexec/xpcproxyxpcproxy com.apple.nehelper1⤵PID:570
-
/usr/libexec/nehelper/usr/libexec/nehelper1⤵PID:570
-
/usr/libexec/xpcproxyxpcproxy com.apple.audio.systemsoundserverd1⤵PID:571
-
/usr/sbin/systemsoundserverd/usr/sbin/systemsoundserverd1⤵PID:571
-
/usr/libexec/xpcproxyxpcproxy com.apple.geod1⤵PID:576
-
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod1⤵PID:576
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.20281⤵PID:579
-
/Applications/Safari.app/Contents/MacOS/Safari/Applications/Safari.app/Contents/MacOS/Safari1⤵PID:579
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.History1⤵PID:580
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.History.xpc/Contents/MacOS/com.apple.Safari.History1⤵PID:580
-
/usr/libexec/xpcproxyxpcproxy com.apple.siri.context.service1⤵PID:582
-
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService1⤵PID:582
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.E324B18A-E0C8-4FD1-96FA-7F075F1EEDF2 5791⤵PID:583
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:583
-
/usr/libexec/xpcproxyxpcproxy com.apple.SafariLaunchAgent1⤵PID:588
-
/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent/Library/Apple/System/Library/CoreServices/SafariSupport.bundle/Contents/MacOS/SafariLaunchAgent1⤵PID:588
-
/usr/libexec/xpcproxyxpcproxy com.apple.CoreAuthentication.agent1⤵PID:589
-
/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd/System/Library/Frameworks/LocalAuthentication.framework/Support/coreauthd1⤵PID:589
-
/usr/libexec/xpcproxyxpcproxy com.apple.akd1⤵PID:590
-
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd1⤵PID:590
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.58A28738-EF4D-4E5B-94B6-637F01C734A0 5791⤵PID:591
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:591
-
/usr/libexec/xpcproxyxpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A1⤵PID:592
-
/usr/libexec/neagent/usr/libexec/neagent1⤵PID:592
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SearchHelper 5791⤵PID:593
-
/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper/System/Library/PrivateFrameworks/SafariShared.framework/Versions/A/XPCServices/com.apple.Safari.SearchHelper.xpc/Contents/MacOS/com.apple.Safari.SearchHelper1⤵PID:593
-
/usr/libexec/xpcproxyxpcproxy com.apple.pbs1⤵PID:594
-
/System/Library/CoreServices/pbs/System/Library/CoreServices/pbs1⤵PID:594
-
/usr/libexec/xpcproxyxpcproxy com.apple.Safari.SafeBrowsing.Service1⤵PID:595
-
/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service/System/Library/PrivateFrameworks/SafariSafeBrowsing.framework/com.apple.Safari.SafeBrowsing.Service1⤵PID:595
-
/usr/libexec/xpcproxyxpcproxy com.apple.WebKit.WebContent.769285D1-38BE-4702-9E74-1C9B06EAD9C7 5791⤵PID:598
-
/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent/System/Library/Frameworks/WebKit.framework/Versions/A/XPCServices/com.apple.WebKit.WebContent.xpc/Contents/MacOS/com.apple.WebKit.WebContent1⤵PID:598
-
/usr/libexec/xpcproxyxpcproxy com.apple.AddressBook.ContactsAccountsService1⤵PID:599
-
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService1⤵PID:599
-
/usr/libexec/xpcproxyxpcproxy com.apple.routined1⤵PID:604
-
/usr/libexec/routined/usr/libexec/routined LAUNCHED_BY_LAUNCHD1⤵PID:604
-
/usr/libexec/xpcproxyxpcproxy com.apple.Maps.mapspushd1⤵PID:605
-
/System/Library/CoreServices/mapspushd/System/Library/CoreServices/mapspushd1⤵PID:605
-
/usr/libexec/xpcproxyxpcproxy com.apple.knowledge-agent1⤵PID:606
-
/usr/libexec/knowledge-agent/usr/libexec/knowledge-agent1⤵PID:606
-
/usr/libexec/xpcproxyxpcproxy com.apple.tailspind1⤵PID:607
-
/usr/libexec/tailspind/usr/libexec/tailspind1⤵PID:607
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportCrash.Root1⤵PID:608
-
/System/Library/CoreServices/ReportCrash/System/Library/CoreServices/ReportCrash daemon1⤵PID:608
-
/usr/libexec/xpcproxyxpcproxy com.apple.AppStore.19001⤵PID:609
-
/System/Applications/App Store.app/Contents/MacOS/App Store"/System/Applications/App Store.app/Contents/MacOS/App Store"1⤵PID:609
-
/usr/libexec/xpcproxyxpcproxy com.apple.ReportMemoryException1⤵PID:610
-
/usr/libexec/ReportMemoryException/usr/libexec/ReportMemoryException1⤵PID:610
-
/usr/libexec/xpcproxyxpcproxy com.apple.storeuid1⤵PID:611
-
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid1⤵PID:611
-
/usr/libexec/xpcproxyxpcproxy com.apple.adid1⤵PID:612
-
/System/Library/PrivateFrameworks/CoreADI.framework/adid/System/Library/PrivateFrameworks/CoreADI.framework/adid1⤵PID:612
-
/usr/libexec/xpcproxyxpcproxy com.apple.security.cloudkeychainproxy31⤵PID:613
-
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy1⤵PID:613
-
/usr/libexec/xpcproxyxpcproxy com.apple.PerformanceAnalysis.animationperfd1⤵PID:614
-
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd1⤵PID:614
-
/usr/libexec/xpcproxyxpcproxy com.apple.coremedia.videodecoder 6091⤵PID:615
-
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService1⤵PID:615
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
288B
MD5c92127f7ee48ad5e3c8b165ef0dcba1c
SHA17fabbe716497efc2de185429b40127cdd58f59b7
SHA25604fefbaa058a5c300a90a50be6894dde2138fa47239dd93e7b9265352a96e4eb
SHA51229d6c275b4337e642dfc183316969acbc345c0cfae53f94a103192e56fbf73499cc05cbf8076788191434162ba75275adfbbe0bf31ade37be0c76954570b1ccc
-
Filesize
351B
MD5be8b4dae4e6977d5d770002506268c7c
SHA15f6d6cbdbc4374e2f8f48d74addcffb107062042
SHA256e345cd848b7d6c0fca957a1a87190f397d7723d35bb405553295b383b3b70e83
SHA512dbb9a293085aa2ad9ebd71c303b9ff96bf7393975c85c161507ffbb581634d522c4670915c3199a71f8153cee7587ec01af6271b0eee92e17031d580ae60f6f1
-
Filesize
351B
MD586d2c6a3b47c12808150907f25d26067
SHA1e4f1e3cc464cc19cdace46db8890a5ed8be24ab6
SHA256a7264cf964a0c27328b5e235b6942e3db3ab72bfeb6ad155373c38811b33f7c8
SHA5120fde33e0835b17ac0b2ebf59486c32bc6353dde0e314060277e2c9efcd9e7fd65902894eb3fbb4e5c904acd01fa49cfd3078a5912159f6e3d785c17b83f9dc59
-
Filesize
381B
MD59082262e6c27da2d49cfa5bf8a11d6e0
SHA180542f9f38f56647d06c8c7ba77c68da9f723d8e
SHA25690a0373d471968a8208e7ee0f5ee89f681e2078de199737f6c4bd9210476fbde
SHA51244414f28855d1e814e1127cb3b1568d72ed0ae672a6d829f382b7ac861b9d693b5dd353d219fe2111a74d4422160b2cc7d9eb064fefd957f240ea51affd92a31
-
Filesize
381B
MD56523a084f3df0e178935981daaba52bc
SHA10df70617639ec931f92089bf14ef6a785d483d56
SHA25645b6028b88f774baf7a9c00d2c009c7bdca28f4d236b641535dbf31a566919a1
SHA512fb2528c34e1384678ed815e9e3117872b7ad2d4870de1711de4a3f3663a3acd16764b2d299c8f88ba939bd0b65b6300a4ac9ae0e981abddc63ac3d1ae96ef4be
-
Filesize
124KB
MD55c8cecca924e88f6378895cd5592d9bd
SHA1397ecefb6f879d00b6d81c2832007dd18039bb99
SHA25677684c30fc25761612d698656d317660fea30daedf8749dd78fc4912ffc367dd
SHA5125ae906c470289f4aa2921561b831fa07f8cbf038821df53dae24dd6ef019edc2ff49fa108e7f374eaf0dd511f71f541bf1b9a1b778b775c6faadcd3ea9cc5037
-
Filesize
150KB
MD576ebb0196d42a294b69ef118cbb301d5
SHA161e5ab752d351af1661716bc48c0520f66cd1d1b
SHA256aaa9febe98e3a75220b4933d1f00f2bef276183491e7d171fa54d03259812759
SHA5128dde09d72944e8925c5bd64dc3799a44d7c30191d5038939a24f8a45ccf4d66b84990e8be3e0f2ee1d42d1dd6e5ed3673c39f803874fb0840a3232cc1e533663
-
Filesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/malware,osx,url_expression
Filesize223KB
MD50724bf813bcc58ecac05a62a121256a6
SHA16fe9f66d65e3dfbc86cfd5dd7a65840be59625ef
SHA25643d4adeb6880085c2296110b39098bfdd1c53a32e6fdc77017b86352415fea19
SHA51220a59e68d2f94c18e1884b1df736a3ccfd7f22f05d7e8cbd48a86d3746916b7385f2e42c572348f7992a723ec6e91926b599c04e06bc72ce57e89b89012bb10c
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/social_engineering,osx,url_expression
Filesize3.9MB
MD593de55a18bd95bb8ea18a84a98cb888e
SHA164d7e3fc7999a1bf7c8b3fb283d29d65b39debee
SHA2564bc6b308a2f9fad57379ba54fa9af94153aa2b36216500ff86c4e0ec6cf79b29
SHA5124731f96052ea3373829940bcc96369028eaea2b3ce69fdc01c31c2830eb82b2b4de68dc3f334bc08c9742e4b733663b51fa4f02fe9baecd3ba50bca78601b855
-
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.Safari.SafeBrowsing/Google/unwanted_software,osx,url_expression
Filesize1.3MB
MD5dc924e682938b51439d1cb1d49b45376
SHA1d20814392f22eb1d819e405ad04ae97489620fd1
SHA256db1e9caf3edbcd1c5cfa59de98c1d3c4af1eef4d7a8e4aa86287ed13d3a10fc3
SHA5126d0a87ec3baf63cc76ab7a69df04dac3314fe5cfefa62456bfdd70adc734af0198a5ccfffd68e38219efd094234b291244a0a129fe243ec0c3574397929b3a2a
-
Filesize
47KB
MD50e4a0d1ceb2af6f0f8d0167ce77be2d3
SHA1414ba4c1dc5fc8bf53d550e296fd6f5ad669918c
SHA256cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030
SHA5121dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20
-
Filesize
4KB
MD5d3a1859e6ec593505cc882e6def48fc8
SHA1f8e6728e3e9de477a75706faa95cead9ce13cb32
SHA2563ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c
SHA512ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818