7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335

General

Target

tspm.bin.exe
Size

1.1MB
MD5

a4fac8df05ee106a9f658b9bb4f90d05
SHA1

8d02ab35f57f4a98679935c7fd6d20e5ceef585a
SHA256

7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
SHA512

c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7

Score

10^/10

evasion trojan ransomware persistence

Malware Config

Signatures

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

Processes:

tspm.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tspm.bin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

Processes:

vssvc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Suspicious use of AdjustPrivilegeToken 66 IoCs

Processes:

wmic.exevssvc.exewmic.exewmic.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3740	wmic.exe
Token: SeSecurityPrivilege	3740	wmic.exe
Token: SeTakeOwnershipPrivilege	3740	wmic.exe
Token: SeLoadDriverPrivilege	3740	wmic.exe
Token: SeSystemProfilePrivilege	3740	wmic.exe
Token: SeSystemtimePrivilege	3740	wmic.exe
Token: SeProfSingleProcessPrivilege	3740	wmic.exe
Token: SeIncBasePriorityPrivilege	3740	wmic.exe
Token: SeCreatePagefilePrivilege	3740	wmic.exe
Token: SeBackupPrivilege	3740	wmic.exe
Token: SeRestorePrivilege	3740	wmic.exe
Token: SeShutdownPrivilege	3740	wmic.exe
Token: SeDebugPrivilege	3740	wmic.exe
Token: SeSystemEnvironmentPrivilege	3740	wmic.exe
Token: SeRemoteShutdownPrivilege	3740	wmic.exe
Token: SeUndockPrivilege	3740	wmic.exe
Token: SeManageVolumePrivilege	3740	wmic.exe
Token: 33	3740	wmic.exe
Token: 34	3740	wmic.exe
Token: 35	3740	wmic.exe
Token: 36	3740	wmic.exe
Token: SeBackupPrivilege	4012	vssvc.exe
Token: SeRestorePrivilege	4012	vssvc.exe
Token: SeAuditPrivilege	4012	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1204	wmic.exe
Token: SeSecurityPrivilege	1204	wmic.exe
Token: SeTakeOwnershipPrivilege	1204	wmic.exe
Token: SeLoadDriverPrivilege	1204	wmic.exe
Token: SeSystemProfilePrivilege	1204	wmic.exe
Token: SeSystemtimePrivilege	1204	wmic.exe
Token: SeProfSingleProcessPrivilege	1204	wmic.exe
Token: SeIncBasePriorityPrivilege	1204	wmic.exe
Token: SeCreatePagefilePrivilege	1204	wmic.exe
Token: SeBackupPrivilege	1204	wmic.exe
Token: SeRestorePrivilege	1204	wmic.exe
Token: SeShutdownPrivilege	1204	wmic.exe
Token: SeDebugPrivilege	1204	wmic.exe
Token: SeSystemEnvironmentPrivilege	1204	wmic.exe
Token: SeRemoteShutdownPrivilege	1204	wmic.exe
Token: SeUndockPrivilege	1204	wmic.exe
Token: SeManageVolumePrivilege	1204	wmic.exe
Token: 33	1204	wmic.exe
Token: 34	1204	wmic.exe
Token: 35	1204	wmic.exe
Token: 36	1204	wmic.exe
Token: SeIncreaseQuotaPrivilege	3412	wmic.exe
Token: SeSecurityPrivilege	3412	wmic.exe
Token: SeTakeOwnershipPrivilege	3412	wmic.exe
Token: SeLoadDriverPrivilege	3412	wmic.exe
Token: SeSystemProfilePrivilege	3412	wmic.exe
Token: SeSystemtimePrivilege	3412	wmic.exe
Token: SeProfSingleProcessPrivilege	3412	wmic.exe
Token: SeIncBasePriorityPrivilege	3412	wmic.exe
Token: SeCreatePagefilePrivilege	3412	wmic.exe
Token: SeBackupPrivilege	3412	wmic.exe
Token: SeRestorePrivilege	3412	wmic.exe
Token: SeShutdownPrivilege	3412	wmic.exe
Token: SeDebugPrivilege	3412	wmic.exe
Token: SeSystemEnvironmentPrivilege	3412	wmic.exe
Token: SeRemoteShutdownPrivilege	3412	wmic.exe
Token: SeUndockPrivilege	3412	wmic.exe
Token: SeManageVolumePrivilege	3412	wmic.exe
Token: 33	3412	wmic.exe
Token: 34	3412	wmic.exe

Drops desktop.ini file(s) 1 IoCs

Processes:

tspm.bin.exe

description ioc process

File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini tspm.bin.exe
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exe

pid process

3960 vssadmin.exe
1692 vssadmin.exe
1372 vssadmin.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

3 api.myip.com
4 api.myip.com
Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

tspm.bin.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe

description	ioc	process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	tspm.bin.exe

pid	process
3960	vssadmin.exe
1692	vssadmin.exe
1372	vssadmin.exe

flow	ioc
3	api.myip.com
4	api.myip.com

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

tspm.bin.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tspm.bin.exe

Suspicious behavior: EnumeratesProcesses 750 IoCs

Processes:

tspm.bin.exe

pid	process
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe
1508	tspm.bin.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tspm.bin.exe

description	pid	process	target process
PID 1508 wrote to memory of 3740	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 3740	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 3740	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 3960	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 3960	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 3960	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 1204	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 1204	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 1204	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 1692	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 1692	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 1692	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 3412	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 3412	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 3412	1508	tspm.bin.exe	wmic.exe
PID 1508 wrote to memory of 1372	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 1372	1508	tspm.bin.exe	vssadmin.exe
PID 1508 wrote to memory of 1372	1508	tspm.bin.exe	vssadmin.exe

C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe
"C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"
1⤵
- System policy modification
- Drops desktop.ini file(s)
- Checks whether UAC is enabled
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1508