82b79384462dcb99be25284fd88a55a69f83b029e0854fc6f04bae5a6262d4cb

Analysis

max time kernel
115s
max time network
147s
platform
macos-10.15_amd64
resource
macos-20240410-en
resource tags

arch:amd64arch:i386image:macos-20240410-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
23/05/2024, 12:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp
Size

444KB
MD5

e0fd4aa6ba07003f9bdcee0b44358f3b
SHA1

0d51267ffd442fdfe9c78f88d13c429b43702c8d
SHA256

ca20feeddf2bb9edb2ba29d393387a55037260151b236041fabdc9f08b12ca8e
SHA512

7b32b490a64e3cdcc4470af8a5cf0156200adddbdc6d55c845939703767d33fec2afe8eeeedec13d0655888bd12de9e7725004ac630e96bacbe25c561d094128
SSDEEP

6144:u9mMHFGRWIcUe8LAzv1mLfMy8+3ctQO0scbiW1Fsn4qau3zV0Yt/M7ai6/0tqHqq:u9mMHwkIRe8LAzv16T8+MKKc3i/R9rCy

Score

4^/10

evasion

Malware Config

Signatures

Resource Forking 1 TTPs 4 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp\""	Process not Found
sudo /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp	Process not Found
/bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp	Process not Found
/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp\""
1⤵
PID:490

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp\""
1⤵
PID:490

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp
1⤵
PID:490
- /bin/zsh
  /bin/zsh -c /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp
  2⤵
  PID:491
- /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp
  /Users/run/ProntoInstaller/ProntoInstaller.app/Contents/Resources/ProntoApp.app/Contents/MacOS/ProntoApp
  2⤵
  PID:491

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:492

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterB516C108/OneDrive.app
1⤵
PID:493

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:515

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:524

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:524

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:539

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

Loading Replay Monitor...