14f30b9c005f28caca6798e9b430a39595c60a245c38dbc253c8408495e0adb5

General

Target

Setup/Setup
Size

817KB
MD5

3d0fd2cceda9ce0323cbfee544dbb28e
SHA1

c466c8d79fb89a0e60ab35056224f9bdc0b13f0e
SHA256

1cd69417715dbc3678f1dbe48412feee1a0e180558025b7969f5895b4518b0c6
SHA512

95b4cc4358f2afb18c48cce5ede259bcce7d50ef620ae190c123c11b21238a48137684fdc07a5fc0faa609679a1cdd6665ae6a85f8aeb5bd743c14fd1c62c92f
SSDEEP

24576:Sxlz+I27UA2hI0OgkRG/iwkGjSG4Ol2vYKA:SxV+I2A1OgkRG/iwkGjSG4Ol2vYX

Score

7^/10

Malware Config

Signatures

Queries the macOS version information. 1 TTPs 2 IoCs

An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.

discovery

System Information Discovery

T1082

ioc	Process
sh -c sw_vers	Process not Found
sw_vers	Process not Found

System Checks 1 TTPs 2 IoCs

Adversaries may employ various system checks to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox.

evasion

System Checks

T1497.001

ioc	Process
system_profiler SPHardwareDataType	Process not Found
sh -c "system_profiler SPHardwareDataType"	Process not Found

AppleScript 1 TTPs 16 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

ioc	Process
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "tell application \"Terminal\" to set visible of front window to false"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Setup/Setup\""
1⤵
PID:533

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Setup/Setup\""
1⤵
PID:533

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Setup/Setup
1⤵
PID:533
- /bin/zsh
  /bin/zsh -c /Users/run/Setup/Setup
  2⤵
  PID:534
- /Users/run/Setup/Setup
  /Users/run/Setup/Setup
  2⤵
  PID:534

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:535

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:535

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:536

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:536
- /usr/bin/login
  login -pf run
  2⤵
  PID:537
- - /bin/zsh
    -zsh
    3⤵
    PID:538
  - - /usr/libexec/path_helper
      /usr/libexec/path_helper -s
      4⤵
      PID:539
  - - /usr/bin/locale
      locale LC_CTYPE
      4⤵
      PID:540

/bin/sh
sh -c "mkdir /tmp/1491379462"
1⤵
PID:547

/bin/bash
sh -c "mkdir /tmp/1491379462"
1⤵
PID:547

/bin/mkdir
mkdir /tmp/1491379462
1⤵
PID:547

/bin/sh
sh -c sw_vers
1⤵
PID:548

/bin/bash
sh -c sw_vers
1⤵
PID:548

/usr/bin/sw_vers
sw_vers
1⤵
PID:548

/bin/sh
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:549

/bin/bash
sh -c "system_profiler SPHardwareDataType"
1⤵
PID:549

/usr/sbin/system_profiler
system_profiler SPHardwareDataType
1⤵
PID:549

/bin/sh
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:551

/bin/bash
sh -c "system_profiler SPDisplaysDataType"
1⤵
PID:551

/usr/sbin/system_profiler
system_profiler SPDisplaysDataType
1⤵
PID:551

/bin/sh
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:553

/bin/bash
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:553

/usr/bin/dscl
dscl /Local/Default -authonly root
1⤵
PID:553

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:554

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:554

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:554

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:555

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:555

/usr/sbin/kextcache
/usr/sbin/kextcache -F -system-prelinked-kernel
1⤵
PID:557

/bin/sh
sh -c "dscl /Local/Default -authonly root testpass"
1⤵
PID:577

/bin/bash
sh -c "dscl /Local/Default -authonly root testpass"
1⤵
PID:577

/usr/bin/dscl
dscl /Local/Default -authonly root testpass
1⤵
PID:577

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:578

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:578

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:578

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:579

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdaterBCBF2C69/OneDrive.app
1⤵
PID:580

/bin/sh
sh -c "dscl /Local/Default -authonly root 1234"
1⤵
PID:582

/bin/bash
sh -c "dscl /Local/Default -authonly root 1234"
1⤵
PID:582

/usr/bin/dscl
dscl /Local/Default -authonly root 1234
1⤵
PID:582

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:583

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:583

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:583

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:586

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:586

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:586

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:589

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:589

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:589

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:590

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:590

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:590

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:591

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:591

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:591

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

AppleScript

1

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Credential Access

Discovery

System Information Discovery

1

T1082

Virtualization/Sandbox Evasion

1

T1497

System Checks

1

T1497.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
7d72f00a73c1254fcc35ab14426ffce2

SHA1
024b7c43060223455deaeb119e3cac973ecc5fd2

SHA256
b6f5b1ff546ca0daf85698910a70a0dc53c640d6fd87a2fc7c3ddf62a454ea69

SHA512
3f609669d99a3fba53e8dff250fe2dfe2e941acb7f82f47103eb7d465e5af0dda2d9de718c6c5c828d1b33c8660d425c47bf41b082260e3e23e0a88c85aba7ac

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
f819967f24c1bb6955436c392601dba9

SHA1
cac36a5a58273fd30555673b436841457c453dd0

SHA256
5c7c85fc8a897d4d4dd3079c10c6eb8e66750bd63bd841c8fb201a9078c94185

SHA512
a9a67bd44115fb29d8e7968f97aa1b841757f9928265ac54004bee3fb664ab718f23d0b8e2d064aa42eab4c7002dbb36b62d91976fc74df5edeb9a15916f8ffd

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
dbef53479eb84e0921eeb940aec8d6e4

SHA1
a88f1c84a674d8b6a6f3a07b588208e781b980ce

SHA256
bc90e0bee035157e95cb56d07414cc4514ab3502bba9d8f865bf8e03c8cc212f

SHA512
9acce3e6ad91600783dc39a684654086a6260a127ef4483cf06521862a497ba9061d6f486edb11c22cec51198947d9c7a24f1369554e865ef11a17a28dbf2435

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data

Filesize
1KB

MD5
b0e7c30265e683bfa5dc08f23fb8384d

SHA1
ad27198bd8ea08fb050820f6aca56ded4ec3e8a8

SHA256
b2e5ff8a4c9d17a8109b2d78e53f9d3192e1e4fa1e58e44f086d287f47e467a4

SHA512
5b561091ba996a2580fd253e46b01de8e8d989f43a22cf81b557bfc6daa0c1292ade0ead425fd6c3dcf2909505c41950b0b18d435844bef122d8091baf9c60a5

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads