7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335

Analysis

max time kernel
109s
max time network
132s
platform
windows10_x64
resource
win10v200430
submitted
08/07/2020, 05:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tspm_1.bin.exe
Size

1.1MB
MD5

a4fac8df05ee106a9f658b9bb4f90d05
SHA1

8d02ab35f57f4a98679935c7fd6d20e5ceef585a
SHA256

7b4a13c022f0948f0a7ace0c2ea8b85af4f596338af14c3a1be2e63f55cbb335
SHA512

c3d2c2f33637fed7b410ef15dce824ba21103fa970163a10759b1089e4814c0d22e7e22f5954ff7d08dd087ead822f7c8783a47ce1bd01d244728b3fb61f5bf7

Score

10^/10

evasion trojan persistence ransomware

Malware Config

Signatures

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Suspicious behavior: EnumeratesProcesses 718 IoCs

pid	Process
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe
2116	tspm_1.bin.exe

Enumerates connected drives 3 TTPs

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Drops desktop.ini file(s) 1 IoCs

description	ioc	Process
File opened for modification	\??\Z:\$RECYCLE.BIN\S-1-5-21-1231583446-2617009595-2137880041-1000\desktop.ini	tspm_1.bin.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	api.myip.com
3	api.myip.com

System policy modification 1 TTPs 1 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLinkedConnections = "1"	tspm_1.bin.exe

UAC bypass 3 TTPs 2 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm_1.bin.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	tspm_1.bin.exe

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3036	vssadmin.exe
888	vssadmin.exe
2840	vssadmin.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 3784	2116	tspm_1.bin.exe	68
PID 2116 wrote to memory of 3784	2116	tspm_1.bin.exe	68
PID 2116 wrote to memory of 3784	2116	tspm_1.bin.exe	68
PID 2116 wrote to memory of 3036	2116	tspm_1.bin.exe	72
PID 2116 wrote to memory of 3036	2116	tspm_1.bin.exe	72
PID 2116 wrote to memory of 3036	2116	tspm_1.bin.exe	72
PID 2116 wrote to memory of 1700	2116	tspm_1.bin.exe	75
PID 2116 wrote to memory of 1700	2116	tspm_1.bin.exe	75
PID 2116 wrote to memory of 1700	2116	tspm_1.bin.exe	75
PID 2116 wrote to memory of 888	2116	tspm_1.bin.exe	77
PID 2116 wrote to memory of 888	2116	tspm_1.bin.exe	77
PID 2116 wrote to memory of 888	2116	tspm_1.bin.exe	77
PID 2116 wrote to memory of 1356	2116	tspm_1.bin.exe	79
PID 2116 wrote to memory of 1356	2116	tspm_1.bin.exe	79
PID 2116 wrote to memory of 1356	2116	tspm_1.bin.exe	79
PID 2116 wrote to memory of 2840	2116	tspm_1.bin.exe	81
PID 2116 wrote to memory of 2840	2116	tspm_1.bin.exe	81
PID 2116 wrote to memory of 2840	2116	tspm_1.bin.exe	81

Suspicious use of AdjustPrivilegeToken 66 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3784	wmic.exe
Token: SeSecurityPrivilege	3784	wmic.exe
Token: SeTakeOwnershipPrivilege	3784	wmic.exe
Token: SeLoadDriverPrivilege	3784	wmic.exe
Token: SeSystemProfilePrivilege	3784	wmic.exe
Token: SeSystemtimePrivilege	3784	wmic.exe
Token: SeProfSingleProcessPrivilege	3784	wmic.exe
Token: SeIncBasePriorityPrivilege	3784	wmic.exe
Token: SeCreatePagefilePrivilege	3784	wmic.exe
Token: SeBackupPrivilege	3784	wmic.exe
Token: SeRestorePrivilege	3784	wmic.exe
Token: SeShutdownPrivilege	3784	wmic.exe
Token: SeDebugPrivilege	3784	wmic.exe
Token: SeSystemEnvironmentPrivilege	3784	wmic.exe
Token: SeRemoteShutdownPrivilege	3784	wmic.exe
Token: SeUndockPrivilege	3784	wmic.exe
Token: SeManageVolumePrivilege	3784	wmic.exe
Token: 33	3784	wmic.exe
Token: 34	3784	wmic.exe
Token: 35	3784	wmic.exe
Token: 36	3784	wmic.exe
Token: SeBackupPrivilege	496	vssvc.exe
Token: SeRestorePrivilege	496	vssvc.exe
Token: SeAuditPrivilege	496	vssvc.exe
Token: SeIncreaseQuotaPrivilege	1700	wmic.exe
Token: SeSecurityPrivilege	1700	wmic.exe
Token: SeTakeOwnershipPrivilege	1700	wmic.exe
Token: SeLoadDriverPrivilege	1700	wmic.exe
Token: SeSystemProfilePrivilege	1700	wmic.exe
Token: SeSystemtimePrivilege	1700	wmic.exe
Token: SeProfSingleProcessPrivilege	1700	wmic.exe
Token: SeIncBasePriorityPrivilege	1700	wmic.exe
Token: SeCreatePagefilePrivilege	1700	wmic.exe
Token: SeBackupPrivilege	1700	wmic.exe
Token: SeRestorePrivilege	1700	wmic.exe
Token: SeShutdownPrivilege	1700	wmic.exe
Token: SeDebugPrivilege	1700	wmic.exe
Token: SeSystemEnvironmentPrivilege	1700	wmic.exe
Token: SeRemoteShutdownPrivilege	1700	wmic.exe
Token: SeUndockPrivilege	1700	wmic.exe
Token: SeManageVolumePrivilege	1700	wmic.exe
Token: 33	1700	wmic.exe
Token: 34	1700	wmic.exe
Token: 35	1700	wmic.exe
Token: 36	1700	wmic.exe
Token: SeIncreaseQuotaPrivilege	1356	wmic.exe
Token: SeSecurityPrivilege	1356	wmic.exe
Token: SeTakeOwnershipPrivilege	1356	wmic.exe
Token: SeLoadDriverPrivilege	1356	wmic.exe
Token: SeSystemProfilePrivilege	1356	wmic.exe
Token: SeSystemtimePrivilege	1356	wmic.exe
Token: SeProfSingleProcessPrivilege	1356	wmic.exe
Token: SeIncBasePriorityPrivilege	1356	wmic.exe
Token: SeCreatePagefilePrivilege	1356	wmic.exe
Token: SeBackupPrivilege	1356	wmic.exe
Token: SeRestorePrivilege	1356	wmic.exe
Token: SeShutdownPrivilege	1356	wmic.exe
Token: SeDebugPrivilege	1356	wmic.exe
Token: SeSystemEnvironmentPrivilege	1356	wmic.exe
Token: SeRemoteShutdownPrivilege	1356	wmic.exe
Token: SeUndockPrivilege	1356	wmic.exe
Token: SeManageVolumePrivilege	1356	wmic.exe
Token: 33	1356	wmic.exe
Token: 34	1356	wmic.exe
Token: 35	1356	wmic.exe
Token: 36	1356	wmic.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	tspm_1.bin.exe

Modifies service 2 TTPs 4 IoCs

persistence

Modify Registry

T1112

Modify Existing Service

T1031

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Shadow Copy Optimization Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\Registry Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\COM+ REGDB Writer	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\ASR Writer	vssvc.exe

C:\Users\Admin\AppData\Local\Temp\tspm_1.bin.exe
"C:\Users\Admin\AppData\Local\Temp\tspm_1.bin.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Drops desktop.ini file(s)
- System policy modification
- UAC bypass
- Suspicious use of WriteProcessMemory
- Checks whether UAC is enabled
PID:2116
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3784
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:3036
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1700
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:888
- C:\Windows\SysWOW64\Wbem\wmic.exe
  wmic.exe SHADOWCOPY /nointeractive
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1356
- C:\Windows\SysWOW64\vssadmin.exe
  vssadmin.exe Delete Shadows /All /Quiet
  2⤵
  - Interacts with shadow copies
  PID:2840