hxxps://github[.]com/nathanlopez/Stitch

Analysis

max time kernel
599s
max time network
590s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
28-05-2024 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/nathanlopez/Stitch

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614392827888570"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
3252	chrome.exe
3252	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe
Token: SeShutdownPrivilege	5060	chrome.exe
Token: SeCreatePagefilePrivilege	5060	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe
5060	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2596	5060	chrome.exe	72
PID 5060 wrote to memory of 2596	5060	chrome.exe	72
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 2944	5060	chrome.exe	74
PID 5060 wrote to memory of 1512	5060	chrome.exe	75
PID 5060 wrote to memory of 1512	5060	chrome.exe	75
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76
PID 5060 wrote to memory of 4744	5060	chrome.exe	76

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://github.com/nathanlopez/Stitch
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffe349d9758,0x7ffe349d9768,0x7ffe349d9778
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1520 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:2
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1872 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:8
  2⤵
  PID:1512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2076 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:8
  2⤵
  PID:4744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2960 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:1
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2968 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:1
  2⤵
  PID:292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:8
  2⤵
  PID:1044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4868 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:8
  2⤵
  PID:4792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4468 --field-trial-handle=1584,i,16011087531612498629,13446186165779774825,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3252

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
60ca06e5c01d7b11405027916698f4ab

SHA1
fa69f92f6e6b534aead8dd97b35b2f45c4845042

SHA256
e898cd2572a78d44e76d0ca528c47187ffbe4be9320441ed5a1657f27ee5438d

SHA512
65ecffd17924b274582b396ba43f33030f530ed03a1eed3ce30d14d2014d9c38da5db2be913f2c701d326db7e0126642fc089e2f4ddd3a9b1784e1af62e6e90c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
ea6c520a0cfa350ddbb9202b500ca854

SHA1
470de925339ba2ac9b1c283da75794d0e42dbda7

SHA256
56212bbf7a9f14f9c954eee8def5e308005bc1c818ae2487b61a48a487017ba1

SHA512
15b8b4f2be58ae0faeb75d03263c0b2257127d1b04ad7315fc7a9f7a35746148005077f7d963a4ccf10b5d5a44d773e3ed01d5062730a07772a8fdcb1d25bf8a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
f09fbbfd06da0b67fca651f29edff2a4

SHA1
8b625b4ad72a19c89e16f6b3bacb20323cc419fe

SHA256
2a76cb77aedca888ab1b29460074dbd6039641f648cf2c06abe63b7d29112f38

SHA512
544035dcaad2591eae7e0968477980aa6487cfef47369b7bfe2c28a18a85169ec280785a39e2075f274c086faafc6a0444046c8a5c8b984bda23a14f5f51c6cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
050b001e85710bdc3c9b3be48f9fa8eb

SHA1
7a481aaac6b080e9aba777f7d1f533b3a7e8e020

SHA256
a8425a0003a9de7fc26c868b70928f2f9b6d2011a14f5c5bfa98b653c356412f

SHA512
12a83e49cef1d3504c43c93aaa29cdddca40389aa63b97eb4461b04561152ad34a69184612bc07ef254354d4299f7a26f8a398f1b123637ad6ff506886d55ffa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6c9f0b95d31283d945c9b2ee32a51001

SHA1
22dbd227712a9d644e0a028233d8e9c98dbfba4d

SHA256
04d6915e0d943360e7fe07b767a6cb97222e255dceca307827674882156c4e7c

SHA512
8532e075312a348f965a27b2a0dcccdadd1fab59143aad8b7fdbbff0a6482194481640dbe6cb872cdf22f33c2274cc4e809b89bcc81958f848258f0410eae5d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
96d67442ffc99e12d798c365a7bab82c

SHA1
6e8aad5be1f82a02710586c11ea7049cca95068a

SHA256
e894a89e377dacc5b0ca4ffd2b1944968da349a61dcc580a5a06ea20cab65f3b

SHA512
cf6c345ce13c8a7f12d7db066c64e7c5500b61c7186028b2bd5888f5701d8f9fbf38a31f5b44c605422853e2b69e0c789c42db4cf1a87e1508530d47e6ac572e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
200d1935290d152d5f2c00ca28708e39

SHA1
8a9993e3d7c78378d2f12388d8426b7c3f1d50ba

SHA256
8ed1c0f5a68556ad44326cf7d927f74dfa7f350c18048a7fc91143cbafcbbc9f

SHA512
6c1a408facbb493113a3020f5cdaaa464814bb8b5ecf932012eee2b5cbe3c1a206880458e01ea3d23ad2693eb717d134658448aad9912fa07cfd04e1a984e61c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit