General
-
Target
DoppelPaymer.RANSOM.bin
-
Size
3.2MB
-
Sample
211020-n33zyshaa8
-
MD5
8c54bbe3f191a8627bfeeb4cb02634a9
-
SHA1
2fc2ecbed153344557386e80a2fbd097bf795559
-
SHA256
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
-
SHA512
752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2
Static task
static1
Behavioral task
behavioral1
Sample
DoppelPaymer.RANSOM.bin.exe
Resource
win10-en-20211014
Malware Config
Extracted
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2010_x64.log.html.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\Boot\updaterevokesipolicy.p7b.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Extracted
C:\Boot\bg-BG\bootmgr.exe.mui.readme2unlock.txt
btpsupport@protonmail.com
http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c
Targets
-
-
Target
DoppelPaymer.RANSOM.bin
-
Size
3.2MB
-
MD5
8c54bbe3f191a8627bfeeb4cb02634a9
-
SHA1
2fc2ecbed153344557386e80a2fbd097bf795559
-
SHA256
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555
-
SHA512
752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2
-
Executes dropped EXE
-
Possible privilege escalation attempt
-
Sets service image path in registry
-
Modifies file permissions
-
Drops file in System32 directory
-