7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335

Analysis

max time kernel
117s
max time network
129s
platform
windows7_x64
resource
win7
submitted
08/07/2020, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tspm_1.bin.exe
Size

1.1MB
MD5

a4fac8df05ee106a9f658b9bb4f90d05
SHA1

8d02ab35f57f4a98679935c7fd6d20e5ceef585a
SHA256

7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
SHA512

c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7

Score

10^/10

persistence evasion trojan ransomware

Malware Config

Signatures

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1464 wrote to memory of 1296	1464	tspm_1.bin.exe	26
PID 1464 wrote to memory of 1296	1464	tspm_1.bin.exe	26
PID 1464 wrote to memory of 1296	1464	tspm_1.bin.exe	26
PID 1464 wrote to memory of 1296	1464	tspm_1.bin.exe	26
PID 1464 wrote to memory of 1880	1464	tspm_1.bin.exe	28
PID 1464 wrote to memory of 1880	1464	tspm_1.bin.exe	28
PID 1464 wrote to memory of 1880	1464	tspm_1.bin.exe	28
PID 1464 wrote to memory of 1880	1464	tspm_1.bin.exe	28
PID 1464 wrote to memory of 1836	1464	tspm_1.bin.exe	31
PID 1464 wrote to memory of 1836	1464	tspm_1.bin.exe	31
PID 1464 wrote to memory of 1836	1464	tspm_1.bin.exe	31
PID 1464 wrote to memory of 1836	1464	tspm_1.bin.exe	31
PID 1464 wrote to memory of 1564	1464	tspm_1.bin.exe	33
PID 1464 wrote to memory of 1564	1464	tspm_1.bin.exe	33
PID 1464 wrote to memory of 1564	1464	tspm_1.bin.exe	33
PID 1464 wrote to memory of 1564	1464	tspm_1.bin.exe	33
PID 1464 wrote to memory of 1536	1464	tspm_1.bin.exe	35
PID 1464 wrote to memory of 1536	1464	tspm_1.bin.exe	35
PID 1464 wrote to memory of 1536	1464	tspm_1.bin.exe	35
PID 1464 wrote to memory of 1536	1464	tspm_1.bin.exe	35
PID 1464 wrote to memory of 1980	1464	tspm_1.bin.exe	37
PID 1464 wrote to memory of 1980	1464	tspm_1.bin.exe	37
PID 1464 wrote to memory of 1980	1464	tspm_1.bin.exe	37
PID 1464 wrote to memory of 1980	1464	tspm_1.bin.exe	37
PID 1648 wrote to memory of 1572	1648	taskeng.exe	43
PID 1648 wrote to memory of 1572	1648	taskeng.exe	43
PID 1648 wrote to memory of 1572	1648	taskeng.exe	43
PID 1648 wrote to memory of 1572	1648	taskeng.exe	43

Suspicious use of AdjustPrivilegeToken 63 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1296	wmic.exe
Token: SeSecurityPrivilege	1296	wmic.exe
Token: SeTakeOwnershipPrivilege	1296	wmic.exe
Token: SeLoadDriverPrivilege	1296	wmic.exe
Token: SeSystemProfilePrivilege	1296	wmic.exe
Token: SeSystemtimePrivilege	1296	wmic.exe
Token: SeProfSingleProcessPrivilege	1296	wmic.exe
Token: SeIncBasePriorityPrivilege	1296	wmic.exe
Token: SeCreatePagefilePrivilege	1296	wmic.exe
Token: SeBackupPrivilege	1296	wmic.exe
Token: SeRestorePrivilege	1296	wmic.exe
Token: SeShutdownPrivilege	1296	wmic.exe
Token: SeDebugPrivilege	1296	wmic.exe
Token: SeSystemEnvironmentPrivilege	1296	wmic.exe
Token: SeRemoteShutdownPrivilege	1296	wmic.exe
Token: SeUndockPrivilege	1296	wmic.exe
Token: SeManageVolumePrivilege	1296	wmic.exe
Token: 33	1296	wmic.exe
Token: 34	1296	wmic.exe
Token: 35	1296	wmic.exe
Token: SeBackupPrivilege	1904	vssvc.exe
Token: SeRestorePrivilege	1904	vssvc.exe
Token: SeAuditPrivilege	1904	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1836	wmic.exe
Token: SeSecurityPrivilege	1836	wmic.exe
Token: SeTakeOwnershipPrivilege	1836	wmic.exe
Token: SeLoadDriverPrivilege	1836	wmic.exe
Token: SeSystemProfilePrivilege	1836	wmic.exe
Token: SeSystemtimePrivilege	1836	wmic.exe
Token: SeProfSingleProcessPrivilege	1836	wmic.exe
Token: SeIncBasePriorityPrivilege	1836	wmic.exe
Token: SeCreatePagefilePrivilege	1836	wmic.exe
Token: SeBackupPrivilege	1836	wmic.exe
Token: SeRestorePrivilege	1836	wmic.exe
Token: SeShutdownPrivilege	1836	wmic.exe
Token: SeDebugPrivilege	1836	wmic.exe
Token: SeSystemEnvironmentPrivilege	1836	wmic.exe
Token: SeRemoteShutdownPrivilege	1836	wmic.exe
Token: SeUndockPrivilege	1836	wmic.exe
Token: SeManageVolumePrivilege	1836	wmic.exe
Token: 33	1836	wmic.exe
Token: 34	1836	wmic.exe
Token: 35	1836	wmic.exe
Token: SeIncreaseQuotaPrivilege	1536	wmic.exe
Token: SeSecurityPrivilege	1536	wmic.exe
Token: SeTakeOwnershipPrivilege	1536	wmic.exe
Token: SeLoadDriverPrivilege	1536	wmic.exe
Token: SeSystemProfilePrivilege	1536	wmic.exe
Token: SeSystemtimePrivilege	1536	wmic.exe
Token: SeProfSingleProcessPrivilege	1536	wmic.exe
Token: SeIncBasePriorityPrivilege	1536	wmic.exe
Token: SeCreatePagefilePrivilege	1536	wmic.exe
Token: SeBackupPrivilege	1536	wmic.exe
Token: SeRestorePrivilege	1536	wmic.exe
Token: SeShutdownPrivilege	1536	wmic.exe
Token: SeDebugPrivilege	1536	wmic.exe
Token: SeSystemEnvironmentPrivilege	1536	wmic.exe
Token: SeRemoteShutdownPrivilege	1536	wmic.exe
Token: SeUndockPrivilege	1536	wmic.exe
Token: SeManageVolumePrivilege	1536	wmic.exe
Token: 33	1536	wmic.exe
Token: 34	1536	wmic.exe
Token: 35	1536	wmic.exe

Executes dropped EXE 1 IoCs

pid	Process
1572	tspm_1.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1880	vssadmin.exe
1564	vssadmin.exe
1980	vssadmin.exe

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious behavior: EnumeratesProcesses 755 IoCs

pid	Process
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe
1464	tspm_1.bin.exe

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tspm_1.bin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
5	api.myip.com

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm_1.bin.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm_1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tspm_1.bin.exe

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1131729243-447456001-3632642222-1000\desktop.ini	tspm_1.bin.exe

C:\Users\Admin\AppData\Local\Temp\tspm_1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\tspm_1.bin.exe"
1⤵
- Suspicious use of WriteProcessMemory
- Suspicious behavior: EnumeratesProcesses
- System policy modification
- Checks whether UAC is enabled
- UAC bypass
- Drops desktop.ini file(s)
PID:1464
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1296
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1880
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1836
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1564
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1536
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:1980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
- Modifies service
PID:1904

C:\Windows\system32\taskeng.exe
taskeng.exe {D1CDBA2C-BE96-4D4B-ABBA-2F24EA1183B3} S-1-5-21-1131729243-447456001-3632642222-1000:AVGLFESB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm_1.bin.exe
  C:\Users\Admin\AppData\Roaming\Microsoft\Windows\tspm_1.bin.exe
  2⤵
  - Executes dropped EXE
  PID:1572