Analysis
-
max time kernel
129s -
max time network
126s -
platform
windows10_x64 -
resource
win10v200430 -
submitted
07-07-2020 23:28
Static task
static1
Behavioral task
behavioral1
Sample
tspm.bin.exe
Resource
win7
Behavioral task
behavioral2
Sample
tspm.bin.exe
Resource
win10v200430
General
-
Target
tspm.bin.exe
-
Size
1.1MB
-
MD5
a4fac8df05ee106a9f658b9bb4f90d05
-
SHA1
8d02ab35f57f4a98679935c7fd6d20e5ceef585a
-
SHA256
7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
-
SHA512
c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7
Malware Config
Signatures
-
System policy modification 1 TTPs 1 IoCs
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1" tspm.bin.exe -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies service 2 TTPs 4 IoCs
Processes:
vssvc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer vssvc.exe -
Suspicious use of AdjustPrivilegeToken 66 IoCs
Processes:
wmic.exevssvc.exewmic.exewmic.exedescription pid process Token: SeIncreaseQuotaPrivilege 3740 wmic.exe Token: SeSecurityPrivilege 3740 wmic.exe Token: SeTakeOwnershipPrivilege 3740 wmic.exe Token: SeLoadDriverPrivilege 3740 wmic.exe Token: SeSystemProfilePrivilege 3740 wmic.exe Token: SeSystemtimePrivilege 3740 wmic.exe Token: SeProfSingleProcessPrivilege 3740 wmic.exe Token: SeIncBasePriorityPrivilege 3740 wmic.exe Token: SeCreatePagefilePrivilege 3740 wmic.exe Token: SeBackupPrivilege 3740 wmic.exe Token: SeRestorePrivilege 3740 wmic.exe Token: SeShutdownPrivilege 3740 wmic.exe Token: SeDebugPrivilege 3740 wmic.exe Token: SeSystemEnvironmentPrivilege 3740 wmic.exe Token: SeRemoteShutdownPrivilege 3740 wmic.exe Token: SeUndockPrivilege 3740 wmic.exe Token: SeManageVolumePrivilege 3740 wmic.exe Token: 33 3740 wmic.exe Token: 34 3740 wmic.exe Token: 35 3740 wmic.exe Token: 36 3740 wmic.exe Token: SeBackupPrivilege 4012 vssvc.exe Token: SeRestorePrivilege 4012 vssvc.exe Token: SeAuditPrivilege 4012 vssvc.exe Token: SeIncreaseQuotaPrivilege 1204 wmic.exe Token: SeSecurityPrivilege 1204 wmic.exe Token: SeTakeOwnershipPrivilege 1204 wmic.exe Token: SeLoadDriverPrivilege 1204 wmic.exe Token: SeSystemProfilePrivilege 1204 wmic.exe Token: SeSystemtimePrivilege 1204 wmic.exe Token: SeProfSingleProcessPrivilege 1204 wmic.exe Token: SeIncBasePriorityPrivilege 1204 wmic.exe Token: SeCreatePagefilePrivilege 1204 wmic.exe Token: SeBackupPrivilege 1204 wmic.exe Token: SeRestorePrivilege 1204 wmic.exe Token: SeShutdownPrivilege 1204 wmic.exe Token: SeDebugPrivilege 1204 wmic.exe Token: SeSystemEnvironmentPrivilege 1204 wmic.exe Token: SeRemoteShutdownPrivilege 1204 wmic.exe Token: SeUndockPrivilege 1204 wmic.exe Token: SeManageVolumePrivilege 1204 wmic.exe Token: 33 1204 wmic.exe Token: 34 1204 wmic.exe Token: 35 1204 wmic.exe Token: 36 1204 wmic.exe Token: SeIncreaseQuotaPrivilege 3412 wmic.exe Token: SeSecurityPrivilege 3412 wmic.exe Token: SeTakeOwnershipPrivilege 3412 wmic.exe Token: SeLoadDriverPrivilege 3412 wmic.exe Token: SeSystemProfilePrivilege 3412 wmic.exe Token: SeSystemtimePrivilege 3412 wmic.exe Token: SeProfSingleProcessPrivilege 3412 wmic.exe Token: SeIncBasePriorityPrivilege 3412 wmic.exe Token: SeCreatePagefilePrivilege 3412 wmic.exe Token: SeBackupPrivilege 3412 wmic.exe Token: SeRestorePrivilege 3412 wmic.exe Token: SeShutdownPrivilege 3412 wmic.exe Token: SeDebugPrivilege 3412 wmic.exe Token: SeSystemEnvironmentPrivilege 3412 wmic.exe Token: SeRemoteShutdownPrivilege 3412 wmic.exe Token: SeUndockPrivilege 3412 wmic.exe Token: SeManageVolumePrivilege 3412 wmic.exe Token: 33 3412 wmic.exe Token: 34 3412 wmic.exe -
Drops desktop.ini file(s) 1 IoCs
Processes:
tspm.bin.exedescription ioc process File opened for modification \??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini tspm.bin.exe -
Interacts with shadow copies 2 TTPs 3 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exepid process 3960 vssadmin.exe 1692 vssadmin.exe 1372 vssadmin.exe -
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 api.myip.com 4 api.myip.com -
Enumerates connected drives 3 TTPs
-
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe -
Processes:
tspm.bin.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tspm.bin.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" tspm.bin.exe -
Suspicious behavior: EnumeratesProcesses 750 IoCs
Processes:
tspm.bin.exepid process 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe 1508 tspm.bin.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
tspm.bin.exedescription pid process target process PID 1508 wrote to memory of 3740 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 3740 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 3740 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 3960 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 3960 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 3960 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 1204 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 1204 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 1204 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 1692 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 1692 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 1692 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 3412 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 3412 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 3412 1508 tspm.bin.exe wmic.exe PID 1508 wrote to memory of 1372 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 1372 1508 tspm.bin.exe vssadmin.exe PID 1508 wrote to memory of 1372 1508 tspm.bin.exe vssadmin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"C:\Users\Admin\AppData\Local\Temp\tspm.bin.exe"1⤵
- System policy modification
- Drops desktop.ini file(s)
- Checks whether UAC is enabled
- UAC bypass
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\Wbem\wmic.exewmic.exe SHADOWCOPY /nointeractive2⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\vssadmin.exevssadmin.exe Delete Shadows /All /Quiet2⤵
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Modifies service
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1204-2-0x0000000000000000-mapping.dmp
-
memory/1372-5-0x0000000000000000-mapping.dmp
-
memory/1692-3-0x0000000000000000-mapping.dmp
-
memory/3412-4-0x0000000000000000-mapping.dmp
-
memory/3740-0-0x0000000000000000-mapping.dmp
-
memory/3960-1-0x0000000000000000-mapping.dmp