Overview

overview

10

Static

static

10

alfa.exe

windows10-2004-x64

8

alfa.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    132s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17/04/2025, 00:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    alfa.exe

  • Size

    137KB

  • MD5

    510c893c3552e271cd3c407dae2c82b0

  • SHA1

    5a30f8ec0137a4f26d160a7ff48f6ebe7dafc383

  • SHA256

    d8bb97a2d453d659c9df7b10df2030f33dbc566da75184e312b148107ca906b0

  • SHA512

    2598a9064d7b6866b82d5a7d433c8e3cea7ea03e340d5f8fe80a3878e68b6b2fb4bb6159f6ed80a5a148a40059f282f78586af4682a452f830c4b7755ddd2a30

  • SSDEEP

    3072:aVvH8RuVrLyEj/S2CUGACcceJd/klDHa/R8mxu3s8QyPu:KH8RuRLlzgUd6a/AslyPu

Score
8/10
credential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Uses browser remote debugging 2 TTPs 8 IoCs

    Can be used control the browser and steal sensitive information such as credentials and session cookies.

    credential_accessstealer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    defense_evasion
  • Enumerates system info in registry 2 TTPs 6 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 27 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\alfa.exe
    "C:\Users\Admin\AppData\Local\Temp\alfa.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2288
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --remote-debugging-port=9223 --profile-directory="Default"
      2⤵
      • Uses browser remote debugging
      • Checks processor information in registry
      • Enumerates system info in registry
      • Modifies data under HKEY_USERS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffe4203dcf8,0x7ffe4203dd04,0x7ffe4203dd10
        3⤵
          PID:4852
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1560,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2212 /prefetch:3
          3⤵
            PID:3704
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=2184,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2176 /prefetch:2
            3⤵
              PID:4708
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2396,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2580 /prefetch:8
              3⤵
                PID:692
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3096,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=3100 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:3076
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2940,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=2908 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:1924
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4268,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4240 /prefetch:2
                3⤵
                • Uses browser remote debugging
                PID:5416
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4696,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4628 /prefetch:1
                3⤵
                • Uses browser remote debugging
                PID:780
              • C:\Program Files\Google\Chrome\Application\chrome.exe
                "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5380,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=4748 /prefetch:8
                3⤵
                  PID:5472
                • C:\Program Files\Google\Chrome\Application\chrome.exe
                  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5384,i,5460005979754066611,8925139141768294309,262144 --variations-seed-version=20250410-050051.531000 --mojo-platform-channel-handle=5316 /prefetch:8
                  3⤵
                    PID:5192
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --remote-debugging-port=9223 --profile-directory="Default"
                  2⤵
                  • Uses browser remote debugging
                  • Enumerates system info in registry
                  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
                  • Suspicious use of FindShellTrayWindow
                  PID:2104
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x238,0x260,0x7ffe3350f208,0x7ffe3350f214,0x7ffe3350f220
                    3⤵
                      PID:1572
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --always-read-main-dll --field-trial-handle=1896,i,239419200947222678,12767992805429755626,262144 --variations-seed-version --mojo-platform-channel-handle=2292 /prefetch:3
                      3⤵
                        PID:5800
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --always-read-main-dll --field-trial-handle=2236,i,239419200947222678,12767992805429755626,262144 --variations-seed-version --mojo-platform-channel-handle=2232 /prefetch:2
                        3⤵
                          PID:408
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --always-read-main-dll --field-trial-handle=2584,i,239419200947222678,12767992805429755626,262144 --variations-seed-version --mojo-platform-channel-handle=2732 /prefetch:8
                          3⤵
                            PID:5356
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --always-read-main-dll --field-trial-handle=3508,i,239419200947222678,12767992805429755626,262144 --variations-seed-version --mojo-platform-channel-handle=1616 /prefetch:1
                            3⤵
                            • Uses browser remote debugging
                            PID:5592
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --string-annotations --instant-process --pdf-upsell-enabled --remote-debugging-port=9223 --video-capture-use-gpu-memory-buffer --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --always-read-main-dll --field-trial-handle=3512,i,239419200947222678,12767992805429755626,262144 --variations-seed-version --mojo-platform-channel-handle=3588 /prefetch:1
                            3⤵
                            • Uses browser remote debugging
                            PID:3444
                        • C:\Windows\SysWOW64\cmd.exe
                          "C:\Windows\system32\cmd.exe" /c timeout /t 11 & rd /s /q "C:\ProgramData\q1djm" & exit
                          2⤵
                          • System Location Discovery: System Language Discovery
                          PID:964
                          • C:\Windows\SysWOW64\timeout.exe
                            timeout /t 11
                            3⤵
                            • System Location Discovery: System Language Discovery
                            • Delays execution with timeout.exe
                            PID:1284
                      • C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
                        "C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
                        1⤵
                          PID:1548
                        • C:\Windows\system32\svchost.exe
                          C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
                          1⤵
                            PID:5784
                          • C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\elevation_service.exe"
                            1⤵
                              PID:5264

                            Network

                            MITRE ATT&CK Enterprise v16

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\ProgramData\q1djm\c2d26f
                              Filesize

                              288KB

                              MD5

                              2c174429ff86b26828fd7d33cfacdf61

                              SHA1

                              2133286a1c230a02bf0e33d9f8d930f6756a9ffd

                              SHA256

                              b38f06479710a5fd89ba1ba1f0860e65db1e402fb1bcf1db2b6503435a40e782

                              SHA512

                              97fc67c37b1c08408b5638064b5e8bd7f1614e8c30cba9dae1f91dc710b1e1683cd33e83e6f1ee4b080ac109ca13ed1acc5188b7df19b74223152df787ea11ef

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState
                              Filesize

                              414B

                              MD5

                              6898183ffcf284bf8afa82d8dece05e6

                              SHA1

                              ede202fb361c20a24a9cb513de467592691e7908

                              SHA256

                              bccda7fa356f1d86145e3a64e4c1f4e8b97e9881959b24566d5cb921294381c6

                              SHA512

                              c7b06c8a8d9586030f676455ca7ade8a7c6d235e196306db419f76d45d8f0032f4ffbc9670aaf501b9f523452ee466a1138430979c26a929d110c2a4452014f7

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
                              Filesize

                              2B

                              MD5

                              d751713988987e9331980363e24189ce

                              SHA1

                              97d170e1550eee4afc0af065b78cda302a97674c

                              SHA256

                              4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

                              SHA512

                              b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
                              Filesize

                              78KB

                              MD5

                              2d6aec52906999f0e18cdc74f92e8e89

                              SHA1

                              bc8318164a749f7d45c739b1017fbc5770a9964e

                              SHA256

                              8b175c45fc0a1b20522ad0c359830d3ef80bb1881b867ebd6115546f871ea41a

                              SHA512

                              78af29011ca3912dda31188729bccda3ae1006933307589e49e7ef8a075d0f5bff4b065883b1643f9c8d216d40782c6709afc561c37b479375473e35218b3145

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                              Filesize

                              280B

                              MD5

                              991dd8fbe9a0cd6dc3637646bc73b6fe

                              SHA1

                              cd33a4c3c2cea06b41e5388826af365691769de4

                              SHA256

                              7e873150a039c5eda07ab3768e2b49127c3f824319d28909fe07f31d6f3119a4

                              SHA512

                              b8c1dbb54394674bb88fd7cf368214885e0c328e51651ee8f412aa1ab85151582c70189a292e24d551a8144de29f82e8e9b51ca5a695d33dc0e3326a78d05263

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c7ffec1e-fc42-4076-aa14-962b9b7bed81\index-dir\the-real-index
                              Filesize

                              1KB

                              MD5

                              ce5b57461a7943579c44c145fe840e66

                              SHA1

                              81d678cb14f84ed4e5e31b6b0cb01b70571d3528

                              SHA256

                              8c264401f3fc95e177e30d90a55ad065f542599ab7d9051691bb27c980d438d3

                              SHA512

                              79c86d339937ebec0cb013ef9215d29c2330add1b4129bc89117530e0356ae5bd0d9d144d0ce2190fce3ace41f73ecd9d698cac0961e7df3cf00e3c323d9d2e3

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\3cedfb74d44f2e84198d23075aef16c34a668ceb\c7ffec1e-fc42-4076-aa14-962b9b7bed81\index-dir\the-real-index~RFe57b585.TMP
                              Filesize

                              1KB

                              MD5

                              b30e0b10f8a2600d845d3497663b3985

                              SHA1

                              b24ed3448961f8bb43aafacc00062de7a2c7716d

                              SHA256

                              0cfd64b47fe82a1e301b5c0e1705519093decda5756baa73c28048d81080291e

                              SHA512

                              6037eba62c6f28327eba408c1d5d604fad5c73be8520d35e8be9d3cb0dbf7feadeecba285872ef3f818d1e24e60b14a4cb7ee56528ec87ceea9e720b73bad24c

                              Download Submit

                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                              Filesize

                              40KB

                              MD5

                              2bf15b2ee6982a8b30fcacacf6d236d7

                              SHA1

                              e44ff19f0c496514672382217c72c226a020570d

                              SHA256

                              0f155cd325ef5a8bf183fdfea7cbbf4bfbcdabc5721142361dafa920b83bcaa3

                              SHA512

                              9a789a216707d3ccfb77c86598ce1695c0a15e04cc4b0e693199b24753a0e3bd49b850e3b93ff28b65560dd965757fc74e017a37c242b0d33866950fa7801551

                              Download Submit