agenttesla | 06150e8a137191d9513d89883efb3e0d3abe5839682c8340f4c4288e13b3b8bf

Bypass User Account Control

T1548.002

Disable or Modify Tools

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New_Order_PO_GM5637H93.exe

Windows security bypass 2 TTPs 2 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	New_Order_PO_GM5637H93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe = "0"	New_Order_PO_GM5637H93.exe

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe
3628	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	New_Order_PO_GM5637H93.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	wab.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk	wab.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TrojanAIbot.exe.lnk	wab.exe

Executes dropped EXE 1 IoCs

pid	Process
3448	TrojanAIbot.exe

Windows security modification 2 TTPs 3 IoCs

Disable or Modify Tools

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths	New_Order_PO_GM5637H93.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions	New_Order_PO_GM5637H93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe = "0"	New_Order_PO_GM5637H93.exe

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wab.exe
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wab.exe

Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XClient = "C:\\Users\\Admin\\AppData\\Roaming\\XClient.exe"	wab.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	New_Order_PO_GM5637H93.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New_Order_PO_GM5637H93.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
43	api.ipify.org
44	api.ipify.org
28	checkip.dyndns.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3940 set thread context of 2168	3940	New_Order_PO_GM5637H93.exe	88

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TrojanAIbot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2912	timeout.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	TrojanAIbot.exe

Runs regedit.exe 1 IoCs

pid	Process
212	regedit.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
1896	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2168	wab.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
4892	powershell.exe
4892	powershell.exe
2168	wab.exe
2168	wab.exe
2168	wab.exe
2168	wab.exe
2168	wab.exe
2168	wab.exe
2168	wab.exe
3628	powershell.exe
3628	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	3940	New_Order_PO_GM5637H93.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	2168	wab.exe
Token: SeDebugPrivilege	3628	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2168	wab.exe
2168	wab.exe

Suspicious use of WriteProcessMemory 43 IoCs

description	pid	Process	procid_target
PID 3940 wrote to memory of 4892	3940	New_Order_PO_GM5637H93.exe	84
PID 3940 wrote to memory of 4892	3940	New_Order_PO_GM5637H93.exe	84
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 212	3940	New_Order_PO_GM5637H93.exe	86
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 4336	3940	New_Order_PO_GM5637H93.exe	87
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 2168	3940	New_Order_PO_GM5637H93.exe	88
PID 3940 wrote to memory of 4596	3940	New_Order_PO_GM5637H93.exe	89
PID 3940 wrote to memory of 4596	3940	New_Order_PO_GM5637H93.exe	89
PID 3940 wrote to memory of 4596	3940	New_Order_PO_GM5637H93.exe	89
PID 2168 wrote to memory of 1896	2168	wab.exe	111
PID 2168 wrote to memory of 1896	2168	wab.exe	111
PID 2168 wrote to memory of 1896	2168	wab.exe	111
PID 2168 wrote to memory of 3628	2168	wab.exe	112
PID 2168 wrote to memory of 3628	2168	wab.exe	112
PID 2168 wrote to memory of 3628	2168	wab.exe	112
PID 2168 wrote to memory of 3448	2168	wab.exe	115
PID 2168 wrote to memory of 3448	2168	wab.exe	115
PID 2168 wrote to memory of 3448	2168	wab.exe	115
PID 2168 wrote to memory of 1644	2168	wab.exe	116
PID 2168 wrote to memory of 1644	2168	wab.exe	116
PID 2168 wrote to memory of 1644	2168	wab.exe	116
PID 1644 wrote to memory of 2912	1644	cmd.exe	118
PID 1644 wrote to memory of 2912	1644	cmd.exe	118
PID 1644 wrote to memory of 2912	1644	cmd.exe	118

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	New_Order_PO_GM5637H93.exe

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wab.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	wab.exe

C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe
"C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe"
1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3940
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe" -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4892
- C:\Windows\regedit.exe
  "C:\Windows\regedit.exe"
  2⤵
  - Runs regedit.exe
  PID:212
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4336
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  - Drops startup file
  - Accesses Microsoft Outlook profiles
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - outlook_office_path
  - outlook_win_path
  PID:2168
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /create /tn AccSys /tr "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe" /st 01:16 /du 23:59 /sc daily /ri 1 /f
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1896
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\ACCApi'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3628
- - C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe
    "C:\Users\Admin\AppData\Roaming\ACCApi\TrojanAIbot.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    PID:3448
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp8BEF.tmp.cmd""
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\SysWOW64\timeout.exe
      timeout 6
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:2912
- C:\Program Files (x86)\Windows Mail\wab.exe
  "C:\Program Files (x86)\Windows Mail\wab.exe"
  2⤵
  PID:4596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

Modify Registry