Analysis Overview
SHA256
9c13cde9c884d4632662fc108d67a11740e75897f227d7b438294d8b20871396
Threat Level: Shows suspicious behavior
The file Xiaomi_Pro_Tool_v3.8.rar was found to be: Shows suspicious behavior.
Malicious Activity Summary
Loads dropped DLL
Resource Forking
Unsigned PE
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 21:44
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:47
Platform
debian12-armhf-20240418-en
Max time network
148s
Command Line
Signatures
Processes
Network
| Country | Destination | Domain | Proto |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
| US | 1.1.1.1:53 | debian12-armhf-20240418-en-2 | udp |
Files
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:47
Platform
macos-20240611-en
Max time kernel
139s
Max time network
154s
Command Line
Signatures
Resource Forking
| Description | Indicator | Process | Target |
| N/A | /System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy | N/A | N/A |
Processes
/bin/sh
[sh -c sudo /bin/zsh -c "/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin"]
/bin/bash
[sh -c sudo /bin/zsh -c "/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin"]
/usr/bin/sudo
[sudo /bin/zsh -c /Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]
/bin/zsh
[/bin/zsh -c /Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]
/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin
[/Users/run/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/gpt_main0.bin]
/usr/libexec/xpcproxy
[xpcproxy com.apple.security.cloudkeychainproxy3]
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
[/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.geod]
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
[/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod]
/usr/libexec/xpcproxy
[xpcproxy com.apple.secinitd]
/usr/libexec/secinitd
[/usr/libexec/secinitd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.AddressBook.ContactsAccountsService]
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
[/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService]
/usr/libexec/xpcproxy
[xpcproxy com.apple.routined]
/usr/libexec/routined
[/usr/libexec/routined LAUNCHED_BY_LAUNCHD]
/usr/libexec/xpcproxy
[xpcproxy com.apple.Maps.mapspushd]
/System/Library/CoreServices/mapspushd
[/System/Library/CoreServices/mapspushd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.nehelper]
/usr/libexec/nehelper
[/usr/libexec/nehelper]
/usr/libexec/xpcproxy
[xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A]
/usr/libexec/neagent
[/usr/libexec/neagent]
/usr/sbin/spctl
[/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app]
/usr/libexec/xpcproxy
[xpcproxy com.apple.assistantd]
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
[/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd]
/usr/libexec/xpcproxy
[xpcproxy com.apple.pbs]
/System/Library/CoreServices/pbs
[/System/Library/CoreServices/pbs]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon]
/bin/launchctl
[/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon]
Network
| Country | Destination | Domain | Proto |
| GB | 51.132.193.104:443 | tcp | |
| GB | 17.250.81.67:443 | tcp | |
| US | 8.8.8.8:53 | h3.apis.apple.map.fastly.net | udp |
| US | 8.8.8.8:53 | gspe1-ssl.ls.apple.com.edgesuite.net | udp |
| GB | 104.77.118.121:443 | tcp | |
| US | 8.8.8.8:53 | e4686.dsce9.akamaiedge.net | udp |
| US | 8.8.8.8:53 | a479.dscg4.akamai.net | udp |
| GB | 23.59.171.27:443 | gspe1-ssl.ls.apple.com.edgesuite.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | mobile.events.data.trafficmanager.net | udp |
| US | 20.189.173.17:443 | tcp | |
| US | 8.8.8.8:53 | cds.apple.com | udp |
| BE | 104.68.86.71:443 | cds.apple.com | tcp |
| US | 8.8.8.8:53 | help.apple.com | udp |
| SE | 23.34.233.79:443 | help.apple.com | tcp |
| SE | 23.34.233.79:443 | help.apple.com | tcp |
Files
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsObject.db
| MD5 | d3a1859e6ec593505cc882e6def48fc8 |
| SHA1 | f8e6728e3e9de477a75706faa95cead9ce13cb32 |
| SHA256 | 3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c |
| SHA512 | ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818 |
/var/folders/zz/zyxvpxvq6csfxvn_n00000sm00006d/C//mds/mdsDirectory.db
| MD5 | 0e4a0d1ceb2af6f0f8d0167ce77be2d3 |
| SHA1 | 414ba4c1dc5fc8bf53d550e296fd6f5ad669918c |
| SHA256 | cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030 |
| SHA512 | 1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20 |
/Users/run/Library/Caches/GeoServices/Resources/altitude-1285.xml
| MD5 | 9a43af57707d2fb460832049d1f217d1 |
| SHA1 | 056d813f8cb5198ca82072f7e3484f38ea5267f8 |
| SHA256 | 7224f8828694ed74a8353567e4d84da188d15a993a4a75938f8409cb49218e7c |
| SHA512 | 1f33175f5d0958c79540a627552f71c6960b6ff19c9b2b0aa604c00bfeff216f6ea2ec3a22ef91ad8d7249597fdf5ad49ddbf5f4aef71b397e785152474954d7 |
/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
| MD5 | f3cdcb26e15d4a9572d24482b77c3c35 |
| SHA1 | 1bc68d091952cb96bf13970d249ffb792d87924f |
| SHA256 | 07cf81ec0521b6c5d77b57611af5bc045684ba3cbecd52b18654ad92bc433029 |
| SHA512 | c50ed35a326d0880e7acdd97203c314416278791b2967c6055e7f94ef02461e8c6baf5502ad3bb38aedf341d90d75f2317b0b834fe45496042dc53b59d445a00 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | 95d1f6a479ea836bed553646ebef85c1 |
| SHA1 | 19da469018294e373c788d888e5c55e0bb18695e |
| SHA256 | fc78047a7293b7fba3abe949497f397804f86e2ff04c29c4a549df60aa877aa2 |
| SHA512 | 3f9b8aa7efc6cbbcf6672e0d08a630178c653894d800e9125ed18774de105bc564b097120e98b5711cec5d05d95b41fe822019bc10038055eabf341b0c12845d |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | b5ed1a4aa9f5eb7122af5b836de7cefc |
| SHA1 | 50f9e5dbb61125650245824f2bc6b466ede59bf6 |
| SHA256 | c81bb42621fd0e666a3863f06db96ab6f5f2631cf135d41e2916c25d973c1056 |
| SHA512 | 3986a6f6457f3f794a04034f6d905cdb7ab37e67fd3d266a1aa7bf5deaeb544097d0c8668642288f2a6dfb33f343147241d2130abbff33f20140c6608f4a1211 |
/Library/Preferences/com.apple.networkextension.uuidcache.plist
| MD5 | ce7f5b3d4bfc7b4b0da6a06dccc515f2 |
| SHA1 | ce657a52a052a3aaf534ecfbf7cbdde4ee334c10 |
| SHA256 | 9261ecceda608ef174256e5fdc774c1e6e3dcf533409c1bc393d490d01c713f1 |
| SHA512 | db9de6afa0e14c347aa0988a985b8a453ef133a2413c03bae0fab48bda34d4f9a488db104837a386bb65c393e8f11b1ed4856b211c1c186423649c147d6aabfb |
Analysis: behavioral4
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:45
Platform
debian9-armhf-20240611-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:45
Platform
debian9-mipsel-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:47
Platform
win7-20240221-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe
"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"
Network
Files
memory/2028-7-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2028-6-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2028-3-0x00000000003A0000-0x00000000003BB000-memory.dmp
memory/2028-2-0x00000000003A0000-0x00000000003BB000-memory.dmp
memory/2028-8-0x0000000000400000-0x000000000149D000-memory.dmp
memory/2028-11-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2028-10-0x00000000003A0000-0x00000000003BB000-memory.dmp
memory/2028-9-0x0000000077360000-0x0000000077361000-memory.dmp
memory/2028-16-0x00000000003C0000-0x00000000003D2000-memory.dmp
memory/2028-15-0x00000000003A0000-0x00000000003BB000-memory.dmp
memory/2028-17-0x0000000000400000-0x000000000149D000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:45
Platform
ubuntu1804-amd64-20240611-en
Max time kernel
0s
Command Line
Signatures
Processes
/tmp/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/hyp.mbn
[/tmp/wt88047_pro_images_V9.2.3.0.LHJCNEK_20171229.0000.00_5.1_cn/images/hyp.mbn]
Network
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:45
Platform
debian9-mipsbe-20240418-en
Command Line
Signatures
Processes
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-06-11 21:44
Reported
2024-06-11 21:47
Platform
win10v2004-20240508-en
Max time kernel
146s
Max time network
150s
Command Line
Signatures
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe
"C:\Users\Admin\AppData\Local\Temp\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8\Xiaomi_Pro_Tool_v3.8.exe"
Network
| Country | Destination | Domain | Proto |
| US | 52.111.229.43:443 | tcp |
Files
memory/3248-4-0x0000000001730000-0x000000000174B000-memory.dmp
memory/3248-3-0x0000000001730000-0x000000000174B000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb68AE.tmp
| MD5 | 70f0a349f0d28cbfe011ec6be17b24c7 |
| SHA1 | c8b7df21ca89ce02ff67b43c5c5d1b2b6f0600f1 |
| SHA256 | fa7aed239c6e1e48a3bb70723adbc632dcf2792c6ae50790d50fe41910602e9e |
| SHA512 | 7c6ef336d41e6628e05b3228ccea03e437a16c1f2cfe9bae0186e67e90a0867ec0e190d63537241e6e2baa32c0b33a80d2acf8ee25f13114de0f7f29fe6d8911 |
memory/3248-9-0x0000000001750000-0x0000000001762000-memory.dmp
memory/3248-8-0x0000000001750000-0x0000000001762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\evb68BE.tmp
| MD5 | 49279bad944e3ed7006b772c4dff8dbb |
| SHA1 | 00eeed253b7bfe3b66e248299f056dba5faed22e |
| SHA256 | a6d07d954727b3edfbab7036094bc010b3b0ece307ff8400e185624d53a8955d |
| SHA512 | f72be6d22ddbf84b40e79c8839039106736ace1ce5556ac047fc9cab51790a0222f4cc5f01e38e93988c273bdf421cd2dc21c9f2f4181a24d55283154c4e7433 |
memory/3248-10-0x0000000000400000-0x000000000149D000-memory.dmp
memory/3248-12-0x0000000077053000-0x0000000077054000-memory.dmp
memory/3248-14-0x0000000001750000-0x0000000001762000-memory.dmp
memory/3248-13-0x0000000001730000-0x000000000174B000-memory.dmp
memory/3248-11-0x0000000077052000-0x0000000077053000-memory.dmp
memory/3248-15-0x0000000000400000-0x000000000149D000-memory.dmp
memory/3248-19-0x0000000001750000-0x0000000001762000-memory.dmp
memory/3248-18-0x0000000001730000-0x000000000174B000-memory.dmp