7593df8001e16a07f5a3ffb155601a4dc41d7e6559d7ab25da2184edf95c1487

General

Target

Delta-Optimizateur.exe
Size

42KB
MD5

d0787d6240e34493b6dd8b3a9224b9bc
SHA1

fa67ecde37854491adb09f70d010e466ad07b098
SHA256

7593df8001e16a07f5a3ffb155601a4dc41d7e6559d7ab25da2184edf95c1487
SHA512

9deede0996ee45a192cd86d87b92374e2d690be4c69b59e259f6276743632d010af7272218ab811f737c08bf26ca0d1adc4f53617de41bd988252be0fca1b2b5
SSDEEP

768:9vrhmlL9ra82j2uZ3L+ITjyKZKfgm3EhfqpA:alL9rc/L+ITmF7EVI

Score

4^/10

Malware Config

Signatures

Resource Forking 1 TTPs 6 IoCs

Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

defense_evasion

Resource Forking

T1564.009

ioc	Process
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd	Process not Found
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd	Process not Found
/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent	Process not Found
/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings	Process not Found
/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd	Process not Found
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd	Process not Found

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/Delta-Optimizateur.exe\""
1⤵
PID:473

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/Delta-Optimizateur.exe\""
1⤵
PID:473

/usr/bin/sudo
sudo /bin/zsh -c /Users/run/Delta-Optimizateur.exe
1⤵
PID:473
- /bin/zsh
  /bin/zsh -c /Users/run/Delta-Optimizateur.exe
  2⤵
  PID:474
- /Users/run/Delta-Optimizateur.exe
  /Users/run/Delta-Optimizateur.exe
  2⤵
  PID:474

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:482

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:482

/usr/libexec/xpcproxy
xpcproxy com.apple.systemprofiler
1⤵
PID:503

/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information
"/System/Applications/Utilities/System Information.app/Contents/MacOS/System Information"
1⤵
PID:503

/usr/libexec/xpcproxy
xpcproxy com.apple.replayd
1⤵
PID:506

/usr/libexec/replayd
/usr/libexec/replayd
1⤵
PID:506

/usr/libexec/xpcproxy
xpcproxy com.apple.storedownloadd
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:509

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:509

/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/storedownloadd
1⤵
PID:508

/usr/libexec/xpcproxy
xpcproxy com.apple.installd
1⤵
PID:512

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/installd
1⤵
PID:512

/usr/libexec/xpcproxy
xpcproxy com.apple.system_installd
1⤵
PID:513

/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
/System/Library/PrivateFrameworks/PackageKit.framework/Resources/system_installd
1⤵
PID:513

/usr/libexec/xpcproxy
xpcproxy com.apple.Safari.CacheDeleteExtension 504
1⤵
PID:515

/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
/Applications/Safari.app/Contents/PlugIns/CacheDeleteExtension.appex/Contents/MacOS/CacheDeleteExtension
1⤵
PID:515

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:519

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:519

/usr/libexec/xpcproxy
xpcproxy com.apple.quicklook.satellite.01E51AC3-8A4C-4E34-AC06-D9F1E72AFE4C 510
1⤵
PID:520

/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
/System/Library/Frameworks/QuickLook.framework/Versions/A/XPCServices/QuickLookSatellite.xpc/Contents/MacOS/QuickLookSatellite
1⤵
PID:520

/usr/libexec/xpcproxy
xpcproxy com.apple.PackageKit.InstallStatus
1⤵
PID:521

/usr/libexec/xpcproxy
xpcproxy com.apple.warmd_agent
1⤵
PID:522

/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress
"/System/Library/CoreServices/Install in Progress.app/Contents/MacOS/Install in Progress"
1⤵
PID:521

/usr/libexec/warmd_agent
/usr/libexec/warmd_agent
1⤵
PID:522

/usr/libexec/xpcproxy
xpcproxy com.apple.security.keychain-circle-notification
1⤵
PID:525

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:526

/System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Keychain Circle Notification
"/System/Library/CoreServices/Keychain Circle Notification.app/Contents/MacOS/Keychain Circle Notification"
1⤵
PID:525

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:526

/usr/libexec/xpcproxy
xpcproxy com.apple.sessionlogoutd
1⤵
PID:527

/System/Library/CoreServices/sessionlogoutd
/System/Library/CoreServices/sessionlogoutd
1⤵
PID:527

/usr/bin/sudo
/usr/bin/sudo -k
1⤵
PID:528

/usr/libexec/xpcproxy
xpcproxy com.apple.loginwindow.35C1A388-5266-4FDE-982E-4E2698E590AA
1⤵
PID:529

/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow
/System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow console
1⤵
PID:529

/usr/libexec/xpcproxy
xpcproxy com.apple.imklaunchagent
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.UserEventAgent-LoginWindow
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.universalaccessd
1⤵
PID:532

/usr/sbin/universalaccessd
/usr/sbin/universalaccessd launchd -s
1⤵
PID:532

/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent
/System/Library/Frameworks/InputMethodKit.framework/Resources/imklaunchagent
1⤵
PID:530

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:533

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:533

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:534

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:534

/usr/libexec/xpcproxy
xpcproxy com.apple.security.agent.login.00000000-0000-0000-0000-0000000186BC
1⤵
PID:535

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/SecurityAgent.bundle/Contents/MacOS/SecurityAgent
1⤵
PID:535

/usr/libexec/xpcproxy
xpcproxy com.apple.coremedia.videodecoder 535
1⤵
PID:539

/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
/System/Library/Frameworks/VideoToolbox.framework/Versions/A/XPCServices/VTDecoderXPCService.xpc/Contents/MacOS/VTDecoderXPCService
1⤵
PID:539

/usr/libexec/UserEventAgent
/usr/libexec/UserEventAgent "(LoginWindow)"
1⤵
PID:531

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:540

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:540

/usr/libexec/xpcproxy
xpcproxy com.apple.CryptoTokenKit.ahp.agent
1⤵
PID:541

/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp
/System/Library/Frameworks/CryptoTokenKit.framework/ctkahp.bundle/Contents/MacOS/ctkahp
1⤵
PID:541

/usr/libexec/xpcproxy
xpcproxy com.apple.xpc.launchd.oneshot.0x10000001.activateSettings
1⤵
PID:542

/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings
/System/Library/PrivateFrameworks/SystemAdministration.framework/Resources/activateSettings
1⤵
PID:542

/usr/libexec/xpcproxy
xpcproxy com.apple.AmbientDisplayAgent
1⤵
PID:543

/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent
/System/Library/PrivateFrameworks/AmbientDisplay.framework/Versions/A/XPCServices/com.apple.AmbientDisplayAgent.xpc/Contents/MacOS/com.apple.AmbientDisplayAgent
1⤵
PID:543

/usr/libexec/xpcproxy
xpcproxy com.apple.ctkd
1⤵
PID:544

/System/Library/Frameworks/CryptoTokenKit.framework/ctkd
/System/Library/Frameworks/CryptoTokenKit.framework/ctkd -tw
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:545

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:545

/usr/libexec/xpcproxy
xpcproxy com.apple.CryptoTokenKit.setoken 544
1⤵
PID:546

/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken
/System/Library/Frameworks/CryptoTokenKit.framework/PlugIns/setoken.appex/Contents/MacOS/setoken
1⤵
PID:546

/usr/libexec/xpcproxy
xpcproxy com.apple.security.authhost.00000000-0000-0000-0000-0000000186BC
1⤵
PID:548

/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
/System/Library/Frameworks/Security.framework/Versions/A/MachServices/authorizationhost.bundle/Contents/MacOS/authorizationhost
1⤵
PID:548

/usr/libexec/xpcproxy
xpcproxy com.apple.Kerberos.kcm
1⤵
PID:549

/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm
/System/Library/PrivateFrameworks/Heimdal.framework/Helpers/kcm --launchd
1⤵
PID:549

/usr/libexec/xpcproxy
xpcproxy com.apple.GSSCred
1⤵
PID:550

/System/Library/Frameworks/GSS.framework/Helpers/GSSCred
/System/Library/Frameworks/GSS.framework/Helpers/GSSCred
1⤵
PID:550

/usr/libexec/xpcproxy
xpcproxy com.apple.iconservices.iconservicesagent
1⤵
PID:551

/System/Library/CoreServices/iconservicesagent
/System/Library/CoreServices/iconservicesagent runAsRoot
1⤵
PID:551

/usr/libexec/xpcproxy
xpcproxy com.apple.usbmuxd
1⤵
PID:552

/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd
/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/Resources/usbmuxd -launchd
1⤵
PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

1

T1564

Resource Forking

1

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Saved Application State/com.apple.finder.savedState/data.data

Filesize
3KB

MD5
edf12dad16bade1bb3d4335041004b91

SHA1
bc680a44f2af7e1b2604a328bd7930a15e27d164

SHA256
cb349a458dd3f7aef6cd6228d690d45e9818189e009fdc061b0cb725fb308321

SHA512
e66aecfa2116669ca63e17e11af22bc306c6f32422de8ca3c63c19a06e20788dc735c41173bc79e8e9c52ed7742a7d2ea4894f2ec94e29e924fa2f272e4e9286

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsDirectory.db

Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/zz/zyxvpxvq6csfxvn_n00000bh00002w/C//mds/mdsObject.db

Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit

Analysis

Sharing