Analysis
-
max time kernel
141s -
max time network
147s -
platform
windows7_x64 -
resource
win7 -
submitted
07-07-2020 23:28
Static task
static1
Behavioral task
behavioral1
Sample
tspm.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
tspm.bin.exe
Resource
win10v200430
General
-
Target
tspm.bin.exe
-
Size
1.1MB
-
MD5
a4fac8df05ee106a9f658b9bb4f90d05
-
SHA1
8d02ab35f57f4a98679935c7fd6d20e5ceef585a
-
SHA256
7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
-
SHA512
c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7
Malware Config
Signatures
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Executes dropped EXE 1 IoCs
Processes:
tspm.bin.exepid process 2044 tspm.bin.exe -
Enumerates connected drives 3 TTPs
-
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe -
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tspm.bin.exe -
System policy modification 1 TTPs 1 IoCs
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tspm.bin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 api.myip.com 5 api.myip.com -
Suspicious behavior: EnumeratesProcesses 735 IoCs
Processes:
tspm.bin.exepid process 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe 1768 tspm.bin.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
tspm.bin.exetaskeng.exedescription pid process target process PID 1768 wrote to memory of 1272 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1272 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1272 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1272 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 2008 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 2008 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 2008 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 2008 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1144 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1144 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1144 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1144 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1632 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1632 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1632 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1632 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1672 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1672 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1672 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1672 1768 tspm.bin.exe wmic.exe PID 1768 wrote to memory of 1428 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1428 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1428 1768 tspm.bin.exe vssadmin.exe PID 1768 wrote to memory of 1428 1768 tspm.bin.exe vssadmin.exe PID 2000 wrote to memory of 2044 2000 taskeng.exe tspm.bin.exe PID 2000 wrote to memory of 2044 2000 taskeng.exe tspm.bin.exe PID 2000 wrote to memory of 2044 2000 taskeng.exe tspm.bin.exe PID 2000 wrote to memory of 2044 2000 taskeng.exe tspm.bin.exe -
Suspicious use of AdjustPrivilegeToken 63 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 1272 wmic.exe Token: SeSecurityPrivilege 1272 wmic.exe Token: SeTakeOwnershipPrivilege 1272 wmic.exe Token: SeLoadDriverPrivilege 1272 wmic.exe Token: SeSystemProfilePrivilege 1272 wmic.exe Token: SeSystemtimePrivilege 1272 wmic.exe Token: SeProfSingleProcessPrivilege 1272 wmic.exe Token: SeIncBasePriorityPrivilege 1272 wmic.exe Token: SeCreatePagefilePrivilege 1272 wmic.exe Token: SeBackupPrivilege 1272 wmic.exe Token: SeRestorePrivilege 1272 wmic.exe Token: SeShutdownPrivilege 1272 wmic.exe Token: SeDebugPrivilege 1272 wmic.exe Token: SeSystemEnvironmentPrivilege 1272 wmic.exe Token: SeRemoteShutdownPrivilege 1272 wmic.exe Token: SeUndockPrivilege 1272 wmic.exe Token: SeManageVolumePrivilege 1272 wmic.exe Token: 33 1272 wmic.exe Token: 34 1272 wmic.exe Token: 35 1272 wmic.exe Token: SeBackupPrivilege 1028 vssvc.exe Token: SeRestorePrivilege 1028 vssvc.exe Token: SeAuditPrivilege 1028 vssvc.exe Token: SeIncreaseQuotaPrivilege 1144 wmic.exe Token: SeSecurityPrivilege 1144 wmic.exe Token: SeTakeOwnershipPrivilege 1144 wmic.exe Token: SeLoadDriverPrivilege 1144 wmic.exe Token: SeSystemProfilePrivilege 1144 wmic.exe Token: SeSystemtimePrivilege 1144 wmic.exe Token: SeProfSingleProcessPrivilege 1144 wmic.exe Token: SeIncBasePriorityPrivilege 1144 wmic.exe Token: SeCreatePagefilePrivilege 1144 wmic.exe Token: SeBackupPrivilege 1144 wmic.exe Token: SeRestorePrivilege 1144 wmic.exe Token: SeShutdownPrivilege 1144 wmic.exe Token: SeDebugPrivilege 1144 wmic.exe Token: SeSystemEnvironmentPrivilege 1144 wmic.exe Token: SeRemoteShutdownPrivilege 1144 wmic.exe Token: SeUndockPrivilege 1144 wmic.exe Token: SeManageVolumePrivilege 1144 wmic.exe Token: 33 1144 wmic.exe Token: 34 1144 wmic.exe Token: 35 1144 wmic.exe Token: SeIncreaseQuotaPrivilege 1672 wmic.exe Token: SeSecurityPrivilege 1672 wmic.exe Token: SeTakeOwnershipPrivilege 1672 wmic.exe Token: SeLoadDriverPrivilege 1672 wmic.exe Token: SeSystemProfilePrivilege 1672 wmic.exe Token: SeSystemtimePrivilege 1672 wmic.exe Token: SeProfSingleProcessPrivilege 1672 wmic.exe Token: SeIncBasePriorityPrivilege 1672 wmic.exe Token: SeCreatePagefilePrivilege 1672 wmic.exe Token: SeBackupPrivilege 1672 wmic.exe Token: SeRestorePrivilege 1672 wmic.exe Token: SeShutdownPrivilege 1672 wmic.exe Token: SeDebugPrivilege 1672 wmic.exe Token: SeSystemEnvironmentPrivilege 1672 wmic.exe Token: SeRemoteShutdownPrivilege 1672 wmic.exe Token: SeUndockPrivilege 1672 wmic.exe Token: SeManageVolumePrivilege 1672 wmic.exe Token: 33 1672 wmic.exe Token: 34 1672 wmic.exe Token: 35 1672 wmic.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
tspm.bin.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini tspm.bin.exe -
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 1632 vssadmin.exe 1428 vssadmin.exe 2008 vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"1⤵
- Checks whether UAC is enabled
- UAC bypass
- System policy modification
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- Drops desktop.ini file(s)
PID:1768 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1272 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:2008 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1144 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1632 -
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1672 -
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
PID:1428
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1028
-
C:\Windows\system32\taskeng.exetaskeng.exe {936EF20D-B3A5-4116-B959-AB9D81A43C20} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exeC:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm.bin.exe2⤵
- Executes dropped EXE
PID:2044