7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335

General

Target

tspm.bin.exe
Size

1.1MB
MD5

a4fac8df05ee106a9f658b9bb4f90d05
SHA1

8d02ab35f57f4a98679935c7fd6d20e5ceef585a
SHA256

7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
SHA512

c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7

Score

10^/10

evasion trojan persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490
Executes dropped EXE 1 IoCs

Processes:

tspm.bin.exe

pid process

2044 tspm.bin.exe
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tspm.bin.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe

pid	process
2044	tspm.bin.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tspm.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tspm.bin.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

tspm.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tspm.bin.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

4 api.myip.com
5 api.myip.com

flow	ioc
4	api.myip.com
5	api.myip.com

Suspicious behavior: EnumeratesProcesses 735 IoCs

Processes:

tspm.bin.exe

pid	process
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe
1768	tspm.bin.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

tspm.bin.exetaskeng.exe

description	pid	process	target process
PID 1768 wrote to memory of 1272	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1272	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1272	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1272	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 2008	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 2008	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 2008	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 2008	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1144	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1144	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1144	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1144	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1632	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1632	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1632	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1632	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1672	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1672	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1672	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1672	1768	tspm.bin.exe	wmic.exe
PID 1768 wrote to memory of 1428	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1428	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1428	1768	tspm.bin.exe	vssadmin.exe
PID 1768 wrote to memory of 1428	1768	tspm.bin.exe	vssadmin.exe
PID 2000 wrote to memory of 2044	2000	taskeng.exe	tspm.bin.exe
PID 2000 wrote to memory of 2044	2000	taskeng.exe	tspm.bin.exe
PID 2000 wrote to memory of 2044	2000	taskeng.exe	tspm.bin.exe
PID 2000 wrote to memory of 2044	2000	taskeng.exe	tspm.bin.exe

Suspicious use of AdjustPrivilegeToken 63 IoCs

Processes:

wmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1272	wmic.exe
Token: SeSecurityPrivilege	1272	wmic.exe
Token: SeTakeOwnershipPrivilege	1272	wmic.exe
Token: SeLoadDriverPrivilege	1272	wmic.exe
Token: SeSystemProfilePrivilege	1272	wmic.exe
Token: SeSystemtimePrivilege	1272	wmic.exe
Token: SeProfSingleProcessPrivilege	1272	wmic.exe
Token: SeIncBasePriorityPrivilege	1272	wmic.exe
Token: SeCreatePagefilePrivilege	1272	wmic.exe
Token: SeBackupPrivilege	1272	wmic.exe
Token: SeRestorePrivilege	1272	wmic.exe
Token: SeShutdownPrivilege	1272	wmic.exe
Token: SeDebugPrivilege	1272	wmic.exe
Token: SeSystemEnvironmentPrivilege	1272	wmic.exe
Token: SeRemoteShutdownPrivilege	1272	wmic.exe
Token: SeUndockPrivilege	1272	wmic.exe
Token: SeManageVolumePrivilege	1272	wmic.exe
Token: 33	1272	wmic.exe
Token: 34	1272	wmic.exe
Token: 35	1272	wmic.exe
Token: SeBackupPrivilege	1028	vssvc.exe
Token: SeRestorePrivilege	1028	vssvc.exe
Token: SeAuditPrivilege	1028	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1144	wmic.exe
Token: SeSecurityPrivilege	1144	wmic.exe
Token: SeTakeOwnershipPrivilege	1144	wmic.exe
Token: SeLoadDriverPrivilege	1144	wmic.exe
Token: SeSystemProfilePrivilege	1144	wmic.exe
Token: SeSystemtimePrivilege	1144	wmic.exe
Token: SeProfSingleProcessPrivilege	1144	wmic.exe
Token: SeIncBasePriorityPrivilege	1144	wmic.exe
Token: SeCreatePagefilePrivilege	1144	wmic.exe
Token: SeBackupPrivilege	1144	wmic.exe
Token: SeRestorePrivilege	1144	wmic.exe
Token: SeShutdownPrivilege	1144	wmic.exe
Token: SeDebugPrivilege	1144	wmic.exe
Token: SeSystemEnvironmentPrivilege	1144	wmic.exe
Token: SeRemoteShutdownPrivilege	1144	wmic.exe
Token: SeUndockPrivilege	1144	wmic.exe
Token: SeManageVolumePrivilege	1144	wmic.exe
Token: 33	1144	wmic.exe
Token: 34	1144	wmic.exe
Token: 35	1144	wmic.exe
Token: SeIncreaseQuotaPrivilege	1672	wmic.exe
Token: SeSecurityPrivilege	1672	wmic.exe
Token: SeTakeOwnershipPrivilege	1672	wmic.exe
Token: SeLoadDriverPrivilege	1672	wmic.exe
Token: SeSystemProfilePrivilege	1672	wmic.exe
Token: SeSystemtimePrivilege	1672	wmic.exe
Token: SeProfSingleProcessPrivilege	1672	wmic.exe
Token: SeIncBasePriorityPrivilege	1672	wmic.exe
Token: SeCreatePagefilePrivilege	1672	wmic.exe
Token: SeBackupPrivilege	1672	wmic.exe
Token: SeRestorePrivilege	1672	wmic.exe
Token: SeShutdownPrivilege	1672	wmic.exe
Token: SeDebugPrivilege	1672	wmic.exe
Token: SeSystemEnvironmentPrivilege	1672	wmic.exe
Token: SeRemoteShutdownPrivilege	1672	wmic.exe
Token: SeUndockPrivilege	1672	wmic.exe
Token: SeManageVolumePrivilege	1672	wmic.exe
Token: 33	1672	wmic.exe
Token: 34	1672	wmic.exe
Token: 35	1672	wmic.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

tspm.bin.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini tspm.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	tspm.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe

Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

1632 vssadmin.exe
1428 vssadmin.exe
2008 vssadmin.exe

pid	process
1632	vssadmin.exe
1428	vssadmin.exe
2008	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe
"C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"
1⤵
- Checks whether UAC is enabled
- UAC bypass
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
PID:1768

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:2008

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1632

C:\Windows\SysWOW64\Wbem\wmic.exe
wmic.exe SHADOWCOPY /nointeractive
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\SysWOW64\vssadmin.exe
vssadmin.exe Delete Shadows /All /Quiet
2⤵
- Interacts with shadow copies
PID:1428

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1028

C:\Windows\system32\taskeng.exe
taskeng.exe {936EF20D-B3A5-4116-B959-AB9D81A43C20} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exe
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exe
2⤵
- Executes dropped EXE
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

1

T1031

Privilege Escalation

Bypass User Account Control

1

T1088

Defense Evasion

File Deletion

2

T1107

Bypass User Account Control

1

T1088

Disabling Security Tools

1

T1089

Modify Registry

3

T1112

Credential Access

Discovery

Query Registry

1

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exe

Download Submit
memory/1144-2-0x0000000000000000-mapping.dmp

Download
memory/1272-0-0x0000000000000000-mapping.dmp

Download
memory/1428-5-0x0000000000000000-mapping.dmp

Download
memory/1632-3-0x0000000000000000-mapping.dmp

Download
memory/1672-4-0x0000000000000000-mapping.dmp

Download
memory/2008-1-0x0000000000000000-mapping.dmp

Download
memory/2044-7-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads