14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31

General

Target

14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
Size

8.8MB
MD5

06bd47b8ec7e6277dc6c8842d00f7243
SHA1

23f3b070aad47f72ddf2d148f455cce2266901fd
SHA256

14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
SHA512

299febd21383786c542d8fa79dc6d04aba61675c82ab889da9987404d2a78fd036ffab8b88712152b1ec57f06db4960e9391b6fc1c5fed447e48effb8aefbd50
SSDEEP

49152:m+9o0usEBuQ61RnzrmY+PLXkQF/S/BlFayqYETg2M5Ozv75Eaa9qPESp7bZ1uASW:vhEU+wQF/sP23Eaa9SE0uToBCq

Score

5^/10

evasion execution persistence

Malware Config

Signatures

Launch Agent 1 TTPs
Adversaries may create or modify launch agents to repeatedly execute malicious payloads as part of persistence.
persistence

Launch Agent
T1543.001

Resource Forking 1 TTPs 5 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

evasion

Resource Forking

T1564.009

ioc	Process
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck	Process not Found
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer	Process not Found

Launchctl 1 TTPs 1 IoCs

Adversaries may abuse launchctl to execute commands or programs. Launchctl supports taking subcommands on the command-line, interactively, or even redirected from standard input.

execution

Launchctl

T1569.001

ioc	Process
/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31\""
1⤵
PID:463

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31\""
1⤵
PID:463

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
1⤵
PID:463
- /bin/zsh
  /bin/zsh -c /Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
  2⤵
  PID:465
- /Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
  /Users/run/14fe0071e76b23673569115042a961136ef057848ad44cf35d9f2ca86bd90d31
  2⤵
  PID:465

/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
/System/Library/CoreServices/loginwindow.app/Contents/Resources/LWWeeklyMessageTracer
1⤵
PID:456

/usr/libexec/pkreporter
/usr/libexec/pkreporter
1⤵
PID:454

/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
/System/Library/PrivateFrameworks/SpeechObjects.framework/Versions/A/SpeechDataInstallerd.app/Contents/MacOS/SpeechDataInstallerd
1⤵
PID:451

/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged
"/System/Library/CoreServices/Applications/Feedback Assistant.app/Contents/Library/LaunchServices/seedusaged"
1⤵
PID:448

/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater
"/Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Resources/Java Updater.app/Contents/MacOS/Java Updater" -bgcheck
1⤵
PID:458

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.ui.helper
1⤵
PID:501

/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
/System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
1⤵
PID:501

/usr/libexec/xpcproxy
xpcproxy "com.apple.xpc.launchd.oneshot.0x10000001.Microsoft Word"
1⤵
PID:502

/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word
"/Applications/Microsoft Word.app/Contents/MacOS/Microsoft Word" -psn_0_167977
1⤵
PID:502

/usr/libexec/xpcproxy
xpcproxy com.apple.XprotectFramework.AnalysisService 415
1⤵
PID:504

/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
/System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
1⤵
PID:504

/usr/libexec/xpcproxy
xpcproxy com.apple.storeuid
1⤵
PID:507

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storeuid.app/Contents/MacOS/storeuid
1⤵
PID:507

/usr/libexec/xpcproxy
xpcproxy com.apple.metadata.mdwrite
1⤵
PID:510

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:511

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:511

/usr/libexec/xpcproxy
xpcproxy com.microsoft.autoupdate.fba.2660
1⤵
PID:512

/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant
"/Library/Application Support/Microsoft/MAU2.0/Microsoft AutoUpdate.app/Contents/MacOS/Microsoft Update Assistant.app/Contents/MacOS/Microsoft Update Assistant"
1⤵
PID:512

/bin/launchctl
/bin/launchctl list
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.microsoft.autoupdate.helper
1⤵
PID:514

/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
/Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
1⤵
PID:514

/bin/launchctl
/bin/launchctl load /Library/LaunchAgents/com.microsoft.update.agent.plist
1⤵
PID:515

/usr/bin/codesign
/usr/bin/codesign -v /Library/PrivilegedHelperTools/com.microsoft.autoupdate.helper
1⤵
PID:516

/usr/libexec/xpcproxy
xpcproxy com.apple.TextEdit.2092
1⤵
PID:524

/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
/System/Applications/TextEdit.app/Contents/MacOS/TextEdit
1⤵
PID:524

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:528

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Launchctl

1

T1569.001

Persistence

Create or Modify System Process

1

T1543

Launch Agent

1

T1543.001

Privilege Escalation

Create or Modify System Process

1

T1543

Launch Agent

1

T1543.001

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Containers/com.microsoft.Word/Data/Library/Application Support/Microsoft/Office/16.0/microsoft word_Rules.xml

Filesize
258KB

MD5
5a33211bed7be6cc385ae7fbef44e01a

SHA1
a0b3b3ed558bb4efec995b2173645123667a9945

SHA256
fae19f0f726a3973bd8e7ae5b3fe7afaedacda3cbe0f9642526e710c58a485d4

SHA512
e469ce16cbc7ba515a0b2d9e2785d186b7ed30b88c1546f655182d85578a9df7e13c174eeb9ccfa0f971676fb39e35e0621dabdb34ad848da8e6552c9654aa97

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.microsoft.Word//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Resubmissions

Analysis

Sharing