Overview

overview

8

Static

static

3

Pray.exe

windows7-x64

8

Pray.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    154s
  • max time network
    176s
  • platform
    windows7_x64
  • resource
    win7-20231020-en
  • resource tags

    arch:x64arch:x86image:win7-20231020-enlocale:en-usos:windows7-x64system
  • submitted
    22-10-2023 18:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Pray.exe

  • Size

    745KB

  • MD5

    39a4e1c4bb46aaefee6e0b13c465b0f1

  • SHA1

    d1b332736a42d9750b4e2adc5a715e5fed6d115e

  • SHA256

    465321ec4fd0e23318868b635af91005ce63b2d2d4a5a07fc40f6059b090cddf

  • SHA512

    495849f4676214e01d26735c3d40463dea6c7b5394e036db67dbb7a882c413b64214b0ba6f5a9c5c4f394a92d3eb6d33d13251f9a8e007bc8993dcb8e1c5abb2

  • SSDEEP

    12288:MzfqBuYLGzcR1inQ4f1oQHqRMgKBuR8SLH2ocAKBGwSMXx:MT6DCAUplHUqB4crBlzXx

Score
8/10
spywarestealer

Malware Config

Signatures

  • Blocklisted process makes network request 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\Pray.exe
      "C:\Users\Admin\AppData\Local\Temp\Pray.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Pray.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2832
      • C:\Users\Admin\AppData\Local\Temp\Pray.exe
        "C:\Users\Admin\AppData\Local\Temp\Pray.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2768
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:336
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:2672

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ity4_x7x.zip
      Filesize

      435KB

      MD5

      0d1613320b79de7e8c7627c07d19f4a7

      SHA1

      f85b78ed8568a648b9134beb654e384c622c73bd

      SHA256

      e6fc736d8850729ee5d9d65076e0f4a869530b2c5df7239bda47051fa3c04be7

      SHA512

      13c00d2a48a42c3da05c6f475ab9b0581c951dd62ca0b435c44dbcefdfc02f14597b2b33aa28d3c4c8526adb198b24f1a83d92b12612209ca4aed06b80c7cbfa

      Download Submit

    • \Users\Admin\AppData\Local\Temp\sqlite3.dll
      Filesize

      831KB

      MD5

      05ace2f6d9bef6fd9bbd05ee5262a1f2

      SHA1

      5cce2228e0d9c6cc913cf551e0bf7c76ed74ff59

      SHA256

      002459f4d4758011b4d7f36935f1fe323494b847f8c173a551076a3d30475ebc

      SHA512

      1e717a66a72eb626727144fa7458f472ada54fd1be37072c9e740945e34ba94025737aef44e54752c50c5b79a583c6a91a0d8043bf1bf7c3e7cab8537207f9fc

      Download Submit

    • memory/336-40-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/336-83-0x0000000061E00000-0x0000000061EBD000-memory.dmp

      Filesize

      756KB

      Download

    • memory/336-41-0x0000000002330000-0x00000000023CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/336-37-0x0000000002330000-0x00000000023CC000-memory.dmp

      Filesize

      624KB

      Download

    • memory/336-35-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/336-34-0x0000000002020000-0x0000000002323000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/336-31-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/336-30-0x00000000000A0000-0x00000000000D6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/1260-42-0x0000000007230000-0x00000000072D2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1260-29-0x0000000009960000-0x000000000B9EE000-memory.dmp

      Filesize

      32.6MB

      Download

    • memory/1260-39-0x0000000007230000-0x00000000072D2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1260-38-0x0000000007230000-0x00000000072D2000-memory.dmp

      Filesize

      648KB

      Download

    • memory/1260-36-0x0000000009960000-0x000000000B9EE000-memory.dmp

      Filesize

      32.6MB

      Download

    • memory/2768-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2768-33-0x0000000000190000-0x00000000001AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/2768-22-0x0000000000C30000-0x0000000000F33000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/2768-8-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-10-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-25-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-26-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-27-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-28-0x0000000000190000-0x00000000001AD000-memory.dmp

      Filesize

      116KB

      Download

    • memory/2768-14-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-15-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2768-32-0x0000000000400000-0x000000000043A000-memory.dmp

      Filesize

      232KB

      Download

    • memory/2824-5-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2824-0-0x0000000000B70000-0x0000000000C30000-memory.dmp

      Filesize

      768KB

      Download

    • memory/2824-2-0x0000000004BB0000-0x0000000004BF0000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2824-16-0x0000000074C50000-0x000000007533E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2824-1-0x0000000074C50000-0x000000007533E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2824-3-0x0000000000B30000-0x0000000000B4A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2824-4-0x0000000074C50000-0x000000007533E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2824-7-0x0000000007F30000-0x0000000007FAA000-memory.dmp

      Filesize

      488KB

      Download

    • memory/2824-6-0x0000000000650000-0x0000000000660000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2832-20-0x0000000074D10000-0x00000000752BB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2832-23-0x00000000024E0000-0x0000000002520000-memory.dmp

      Filesize

      256KB

      Download

    • memory/2832-24-0x0000000074D10000-0x00000000752BB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2832-19-0x0000000074D10000-0x00000000752BB000-memory.dmp

      Filesize

      5.7MB

      Download

    • memory/2832-21-0x00000000024E0000-0x0000000002520000-memory.dmp

      Filesize

      256KB

      Download