Analysis

  • max time kernel
    63s
  • max time network
    70s
  • platform
    macos-10.15_amd64
  • resource
    macos-20241106-en
  • resource tags

    arch:amd64arch:i386image:macos-20241106-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
  • submitted
    28/03/2025, 15:47

General

  • Target

    Swinsian 3.0 Preview 5 (1).dmg

  • Size

    15.7MB

  • MD5

    a3faa77e6ce14c0b8b596c19d39a5631

  • SHA1

    4c4ac3d8f7cae0b3cc0542b6cc8a12527573dd1f

  • SHA256

    cef2e62993951b11b10aecd28d294e0426a7987058c4f1a49705712ea0402689

  • SHA512

    e0045f7775e735b8e36fc789f4c5fee578a31a54ee7778c14464a745ea1e11f0302f3b9ea01d65f5a2460966c469071b54e980ee8649a9684a0d1203ae4c9a78

  • SSDEEP

    393216:yeHR2p0wfnSc/PKpY0BsEamAgVTDWxyzyn:yeHQrbKhrUA2j

Malware Config

Signatures

  • File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity. Malware, tools, or other non-native files dropped or created on a system by an adversary (ex: Ingress Tool Transfer) may leave traces to indicate to what was done within a network and how. Removal of these files can occur.

  • File and Directory Discovery. 1 TTPs 1 IoCs

    Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system.

  • Resource Forking 1 TTPs 9 IoCs

    Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.

Processes

  • /bin/sh
    sh -c "sudo /bin/zsh -c \"open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5\""
    1⤵
      PID:498
    • /bin/bash
      sh -c "sudo /bin/zsh -c \"open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5\""
      1⤵
        PID:498
      • /usr/bin/sudo
        sudo /bin/zsh -c "open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5"
        1⤵
          PID:498
          • /bin/zsh
            /bin/zsh -c "open /Volumes/Swinsian\\ 3.0\\ Preview\\ 5"
            2⤵
              PID:499
            • /usr/bin/open
              open "/Volumes/Swinsian 3.0 Preview 5"
              2⤵
                PID:499
            • /usr/libexec/xpcproxy
              xpcproxy com.apple.PerformanceAnalysis.animationperfd
              1⤵
                PID:501
              • /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                /System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
                1⤵
                  PID:501
                • /usr/libexec/xpcproxy
                  xpcproxy com.apple.quicklook.ui.helper
                  1⤵
                    PID:502
                  • /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                    /System/Library/Frameworks/Quartz.framework/Frameworks/QuickLookUI.framework/Resources/QuickLookUIHelper.app/Contents/MacOS/QuickLookUIHelper
                    1⤵
                      PID:502
                    • /usr/libexec/xpcproxy
                      xpcproxy com.apple.Terminal.2100
                      1⤵
                        PID:503
                      • /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
                        /System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
                        1⤵
                          PID:503
                          • /usr/bin/login
                            login -pf run
                            2⤵
                              PID:505
                              • /bin/zsh
                                -zsh
                                3⤵
                                  PID:506
                                  • /usr/libexec/path_helper
                                    /usr/libexec/path_helper -s
                                    4⤵
                                      PID:507
                                    • /usr/bin/locale
                                      locale LC_CTYPE
                                      4⤵
                                        PID:508
                                  • /usr/bin/login
                                    login -pf run
                                    2⤵
                                      PID:509
                                      • /bin/zsh
                                        -zsh
                                        3⤵
                                          PID:510
                                          • /usr/libexec/path_helper
                                            /usr/libexec/path_helper -s
                                            4⤵
                                              PID:511
                                            • /usr/bin/locale
                                              locale LC_CTYPE
                                              4⤵
                                                PID:512
                                              • /Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly
                                                "/Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly"
                                                4⤵
                                                  PID:513
                                                  • /usr/bin/clear
                                                    clear
                                                    5⤵
                                                      PID:514
                                                    • /usr/bin/dirname
                                                      dirname "/Volumes/Swinsian 3.0 Preview 5/Open Gatekeeper friendly"
                                                      5⤵
                                                        PID:515
                                                      • /bin/rm
                                                        rm -rf /tmp/tnt15013
                                                        5⤵
                                                          PID:516
                                                        • /bin/mkdir
                                                          mkdir -p /tmp/tnt15013
                                                          5⤵
                                                            PID:517
                                                          • /bin/cp
                                                            cp "/Volumes/Swinsian 3.0 Preview 5/Manual install/Swinsian 3.0 Preview 5 [TNT].dmg" /tmp/tnt15013
                                                            5⤵
                                                              PID:518
                                                            • /usr/bin/xattr
                                                              xattr -r -d com.apple.quarantine "/tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg"
                                                              5⤵
                                                                PID:522
                                                              • /bin/mkdir
                                                                mkdir -p /tmp/tnt15013/mount
                                                                5⤵
                                                                  PID:523
                                                                • /usr/bin/hdiutil
                                                                  hdiutil attach -owners on -quiet -noverify -mountpoint /tmp/tnt15013/mount "/tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg" -shadow /tmp/tnt15013/shadow
                                                                  5⤵
                                                                    PID:524
                                                                  • /usr/bin/find
                                                                    find /tmp/tnt15013/mount -maxdepth 1 "!" -type l "!" -path /tmp/tnt15013/mount -exec xattr -r -d com.apple.quarantine "{}" ";"
                                                                    5⤵
                                                                      PID:536
                                                                      • /usr/local/bin/xattr
                                                                        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.background
                                                                        6⤵
                                                                          PID:537
                                                                        • /usr/bin/xattr
                                                                          xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.background
                                                                          6⤵
                                                                            PID:537
                                                                          • /usr/local/bin/xattr
                                                                            xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.DS_Store
                                                                            6⤵
                                                                              PID:538
                                                                            • /usr/bin/xattr
                                                                              xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.DS_Store
                                                                              6⤵
                                                                                PID:538
                                                                              • /usr/local/bin/xattr
                                                                                xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.fseventsd
                                                                                6⤵
                                                                                  PID:541
                                                                                • /usr/bin/xattr
                                                                                  xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.fseventsd
                                                                                  6⤵
                                                                                    PID:541
                                                                                  • /usr/local/bin/xattr
                                                                                    xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.VolumeIcon.icns
                                                                                    6⤵
                                                                                      PID:542
                                                                                    • /usr/bin/xattr
                                                                                      xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/.VolumeIcon.icns
                                                                                      6⤵
                                                                                        PID:542
                                                                                      • /usr/local/bin/xattr
                                                                                        xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Extra
                                                                                        6⤵
                                                                                          PID:543
                                                                                        • /usr/bin/xattr
                                                                                          xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Extra
                                                                                          6⤵
                                                                                            PID:543
                                                                                          • /usr/local/bin/xattr
                                                                                            xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Swinsian.app
                                                                                            6⤵
                                                                                              PID:544
                                                                                            • /usr/bin/xattr
                                                                                              xattr -r -d com.apple.quarantine /tmp/tnt15013/mount/Swinsian.app
                                                                                              6⤵
                                                                                                PID:544
                                                                                    • /usr/libexec/xpcproxy
                                                                                      xpcproxy com.apple.metadata.mdwrite
                                                                                      1⤵
                                                                                        PID:504
                                                                                      • /usr/libexec/xpcproxy
                                                                                        xpcproxy com.apple.nsurlstoraged
                                                                                        1⤵
                                                                                          PID:519
                                                                                        • /usr/libexec/nsurlstoraged
                                                                                          /usr/libexec/nsurlstoraged --privileged
                                                                                          1⤵
                                                                                            PID:519
                                                                                          • /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
                                                                                            /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379
                                                                                            1⤵
                                                                                              PID:525
                                                                                            • /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper
                                                                                              /System/Library/PrivateFrameworks/DiskImages.framework/Resources/diskimages-helper -uuid 757518F6-A0AF-4DD6-BDD8-4B55BEBE5379 -post-exec 4
                                                                                              1⤵
                                                                                                PID:526
                                                                                              • /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
                                                                                                /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly
                                                                                                1⤵
                                                                                                  PID:527
                                                                                                • /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
                                                                                                  /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1
                                                                                                  1⤵
                                                                                                    PID:528
                                                                                                  • /System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
                                                                                                    /System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1
                                                                                                    1⤵
                                                                                                      PID:529
                                                                                                    • /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
                                                                                                      /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -p disk4s1 removable readonly
                                                                                                      1⤵
                                                                                                        PID:530
                                                                                                      • /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util
                                                                                                        /System/Library/Filesystems/hfs.fs/Contents/Resources/./hfs.util -k disk4s1
                                                                                                        1⤵
                                                                                                          PID:531
                                                                                                        • /System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs
                                                                                                          /System/Library/Filesystems/hfs.fs/Contents/Resources/./fsck_hfs -q /dev/rdisk4s1
                                                                                                          1⤵
                                                                                                            PID:532
                                                                                                          • /sbin/mount
                                                                                                            /sbin/mount -t hfs -o "-u=502,-g=20,-m=755,nodev,noowners,nosuid,owners" /dev/disk4s1 /private/tmp/tnt15013/mount
                                                                                                            1⤵
                                                                                                              PID:533
                                                                                                              • /sbin/mount_hfs
                                                                                                                /sbin/mount_hfs -u 502 -g 20 -m 755 -o nodev -o noowners -o nosuid -o owners /dev/disk4s1 /private/tmp/tnt15013/mount
                                                                                                                2⤵
                                                                                                                  PID:534
                                                                                                              • /bin/sleep
                                                                                                                sleep 5
                                                                                                                1⤵
                                                                                                                  PID:546
                                                                                                                • /usr/bin/hdiutil
                                                                                                                  hdiutil detach -force "/Volumes/Swinsian 3.0 Preview 5"
                                                                                                                  1⤵
                                                                                                                    PID:547
                                                                                                                  • /sbin/umount
                                                                                                                    /sbin/umount -f "/Volumes/Swinsian 3.0 Preview 5"
                                                                                                                    1⤵
                                                                                                                      PID:548
                                                                                                                    • /usr/libexec/xpcproxy
                                                                                                                      xpcproxy com.apple.security.DiskUnmountWatcher
                                                                                                                      1⤵
                                                                                                                        PID:551
                                                                                                                      • /System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher
                                                                                                                        /System/Library/PrivateFrameworks/KerberosHelper/Helpers/DiskUnmountWatcher
                                                                                                                        1⤵
                                                                                                                          PID:551

                                                                                                                        Network

                                                                                                                        MITRE ATT&CK Enterprise v15

                                                                                                                        Replay Monitor

                                                                                                                        Loading Replay Monitor...

                                                                                                                        Downloads

                                                                                                                        • /tmp/tnt15013/Swinsian 3.0 Preview 5 [TNT].dmg

                                                                                                                          Filesize

                                                                                                                          13.6MB

                                                                                                                          MD5

                                                                                                                          7e042f8ffb279c4d7651d7f6de064a9f

                                                                                                                          SHA1

                                                                                                                          bd3bb6103717aa0c054998db60141b538407b2dc

                                                                                                                          SHA256

                                                                                                                          72eb760e5c6cf2daef2155c784381467f6a4c5c1b81dd422b92f1da3adc7a8d7

                                                                                                                          SHA512

                                                                                                                          e9767f6a0d64dc4705fa05b6f085f827f9d3d792da1f63fdbc61cf91640a90cd09c45ce51a3d8698eb94fb0fc62a9c9a5a70b2b60d1546c5828480b5d3e7cddd

                                                                                                                        • /var/db/nsurlstoraged/dafsaData.bin

                                                                                                                          Filesize

                                                                                                                          54KB

                                                                                                                          MD5

                                                                                                                          64f469698e53d0c828b7f90acd306082

                                                                                                                          SHA1

                                                                                                                          bcc041b3849e1b0b4104ffeb46002207eeac54f3

                                                                                                                          SHA256

                                                                                                                          d74d0e429343f5e1b3e0b9437e048917c4343a30cff068739ea898bad8e37ffd

                                                                                                                          SHA512

                                                                                                                          a8334d1304f2fbd32cfd0ca35c289a45c450746cf3be57170cbbe87b723b1910c2e950a73c1fb82de9dc5ed623166d339a05fec3d78b861a9254dc2cb51fab5f

                                                                                                                        • /var/log/fsck_hfs.log

                                                                                                                          Filesize

                                                                                                                          16KB

                                                                                                                          MD5

                                                                                                                          22868511bbc9eb7ef06c8813761b7cce

                                                                                                                          SHA1

                                                                                                                          5a3fdb31da97a9a74e7f2c7b04f4fd571dfcd887

                                                                                                                          SHA256

                                                                                                                          eb45a6f6d3e54e8d909c6c00867cd3b32adef62e6ac4258bae96b9e643d14ab1

                                                                                                                          SHA512

                                                                                                                          d72227e0a9afae007a8193867b672aa5326aca896b2004043802f206e57432f3e6ce9993256664af436435a157a42fedd2c87bff544a7b81ec05566be6983f3b