DoppelPaymer.RANSOM.bin

General
Target

DoppelPaymer.RANSOM.bin

Size

3MB

Sample

211020-n33zyshaa8

Score
10 /10
MD5

8c54bbe3f191a8627bfeeb4cb02634a9

SHA1

2fc2ecbed153344557386e80a2fbd097bf795559

SHA256

f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

SHA512

752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

Malware Config

Extracted

Path C:\vcredist2010_x64.log-MSI_vc_red.msi.txt.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAANAnUh+HCaXNAQIAABBmAAAApAAAh+SvG4V13HxJAN+D+R9ECeZXWRZVt1Yh/Y/dC9m18ePU 06iq815SzIcrA0YQeew0KRFltd8NEAdYTzyrcZPdjZZwMO7O+o6K9M3IB8g3ZIDYjGK8YNWhHvg6 w+f/5KMmKbSr0D7Lfolb5JFY3qxLoGCM1aUT5XOU+I0hK9CRra3vx5sRZIWlPGk9zs49DLL1EpGc aCJid5qzxoJox/Yh5WxxDwaMFYoVqEC4qnkhijyiUdzGL7XImjnMaPUsHGcylaLxed4R8ypM5voa 2vEgtJnqdck1R0lzzCvXDPMo6E8VtSG9om2l0I4UvS/sMmPb/IAFMZysBuJq35SCwtVHMQ==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2010_x64.log.html.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAALl+TSbtNVm6vh8BAgAAEGYAAACkAADY3he4J6RnrsL/cfqcMmE9j7gdx3kAR8aMShyRYpji 4Q9XlQtVfPrM2F6iDWnl+NnUL9RBiJv6z5Orcoiis0SGcdwd6eQ+u/65HfDp6kZljJkltqblgyci kHhbnP2NHAMbtdCRI498Z2D8GTtbJsx7xjL0bzbMIt6uzIdY0d6JYUG0lCwp6XNBdzjvrzREFBlf 94yeVabcPw3i1pUtI0Q/CxEJyg56jxf+dA4UhSUs8fqGLG3k2RMXprFVS1ehkllJF6GTD86CmwS7 jvz1USV/ZheYsLPC3fBbQvFFe/G94od5QVZbo+NNPTHVsSsbggt4nrJ/LpaBj/AelNlvOxU3
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DgAAANF79F1zumbpnhnraycaAQIAABBmAAAApAAAgLZF4ygjFgf/pJjvw0QtXV62MxJ7XPeutww1 0wL7AEKfCWuyQF6wvJ/D81K9kiYRnrj61HHRHPr9QvV0SJJD1rsdHGO3ty8pFQN1UU+RqAkzi3/k Ud26mJJiazw++fzZHx1S62+lHqy2OcpIckSi0daKp1FEMEkpjU2RRDoiQ1BixpbeFcWnwW54SdC5 Oc/9zG6Kg4e4AvATCGHaLC/b1N85q4LR//QGYLknv7BY+13j3U6C47DBeGwWjlAcLGxNSNK6tTdG 3Ik65uNoCrHzKnvgizxS3hfKFca4OK3I6PP7yzyhvgDLFfNEnrnnQRUydTbb9aW06Qo2wfnSBkBs aA==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAE7uyE8UmPCqKg/EnmqUeQ8BAgAAEGYAAACkAACKGYe7h7trBIljuAVhCUSJKuXWYr6rwyV0 lTpSxR29AQ6RGeSU4QRfVBEUo4nil134bHUanxdIJZbxk+0wIx8B3LT05pFfPsUUqkqoryQqGM5F xbGDTCB6RCz1pi53gFzTqCYMDoOKL21RJKveckzDTp1O0WsbMXLCAGi7RqH3VWUnWrJhPh20NCPD BN62Cd1B8oj+AWX72sgpQcHD4WzakzsnuRguk9JeGHCCja0G1SDys5oVf9Q+QrE/vzJlfDoDcABE IJ9P918fJ655DCP8QkReIt+3rGZrD+ADaT1JvnP7OIMFPV8Vro/h7btQLhlrTrmaXBqAAMNs4Ya7 +j6m
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAAKqQZWtOoChiN21AUQECAAAQZgAAAKQAAHGzNlSF+cwl3xGpV6DhXIN8YiDJVqWYtLS4GBrt TffRLmoe/htKkJEarsKf/wkWRuUTNWqJ7TFz7igoW556TQ8HbqEVQUoI3KdHuFEi5mS/O3Z3pGgB M9syc5Hhk+NFCJnsPIsnYagZ/Cqa8l2N93gUwLRinh9tNSUe71lUKyEfz0x5DRqAh/vWNAeOvvtZ /zbqyM+Yyr8rD8qJSHDgg41GGgQkuZIwV9uvjintauRl77MPvQy68+0WTnrGjIQ377JlaM5m8yF2 cCU6FMPDzgBc5OBjhb/PVX3O7nIBlXrLq2LVbIdXOyEuGguZEcBpKd0AdZ0BIbIlrCHn1StTEGM=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA DAAAADTLu/TrqPpa8mphSwECAAAQZgAAAKQAAP/a1g3woTcIOv2GWMJ0cHoyY0Z3FfDFgatfFBGR awIkgEoFelfwkCO6Ys9p/fFuR6mqq5InB8jdKG/8wfnaoFzrLITO+O4DZ6EeUnbUbna+bHEmUGUs M7RqF4QtZnvjrEmtB9ttjZPnr0fw+I2Dh1mz9GnXxkpg2l0lioUyTM8D1uTdxKenpyNbr7JyvaM5 GV2dUpN/MkvGHZSuubejLAerY6+hKEWBTOALE6A4WIlrH2e+EL+aTrZop5zhIUYkOm07g+4n2E0K xI6MOkm1hUN9KJrl1ohx2FZmojlnrqTzh2AUdj/O6d3KJ15I3oagSaUZLNcaPR11EX5kDIPpDhU=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2019_x64_000_vcRuntimeMinimum_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA BgAAAJTSxZEmXQECAAAQZgAAAKQAAPoApyl9LMaXVeD/PRWu9XT4YrZPBpaiZ6/h0d4NRZkVxVyy nAUW+FiY78l525ZSJ5OxvDVHyyHU863sCiePSKFrI5ahEIy7kwVrQQMvpjAfJ09r9Ov/6swOYWgY kfYKAqxDCh0udo9Aga1Uc3Z1LqCjC5bpRiOcjJamhUYLWRoYxUuO33Yic7uh7MOzjGacC3M34NCp CrMwJbSJGrn4xRrnY92parXDYZgzT3nvx8V/YNSDOyCZb8JGGRLtTYADVcXhgLdr5eHzNF0MbZnl 1jcsZutiY/vJza5tSrkBX4Tgs+PMWdphXfuOBUv5ipXAtzvFq01aKWTOCGO8s/V+d7E=
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\vcredist2019_x64_001_vcRuntimeAdditional_x64.log.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CAAAAMrNiyki2biXAQIAABBmAAAApAAAUj2gzdOtcGCuuQ/5AfeMvZNJ4qPGNsTGPXVY4ZCoMFkg iEo6XeM4KQ1qgoIY5RF71o7xf907I4UP/8SHnSPr3c0V3xeqNEUr9d+/kukM0jD/2K06Q0+ITgZl qFMQBYRg/81sGcJ4wHL9eI7baFK+739j8GQ7GZU2tVCvvknJcoqVJ88GEtNdO3lUEmqnaV+KhOuU z84VkZf7KFxEJanMLlq3M10ZDwXIRmXXu/qS4xyxWiYszfCJc+5Ac3WyAHzHQCHllxTVbLf8Q0zj 94k3oLg744i0b3WvysW3AJIltSeTzaEZb/clrX3VngHM8nUW8KitqkRBTzwipx8lme2nSg==
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\Boot\updaterevokesipolicy.p7b.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA CgAAAJqyDCn44WQTxocBAgAAEGYAAACkAABg7Q1bzxI/DEBN3N5OJjclJfK+xeiBKRdY7MKUH/Cn 4dm35H4UZsK/YFCkEv+Q7417sQ/QGlNrPUYaOvqHszyj7vPDaGs8N1/Hs9KD5CpP75b4Ki1M+0x+ SibX3WicgvK6RFEzN4w0a34FqhqJXlY7iuTowMGtE2eUi+qEmFmJjWCPbvyxztfJGqCBT4Z4XMg3 WLnvB8tzZrlGH5GasIsL2GwAgQBcsHkqd+B75fL1WsxlL4jvyfC13qeiBUVmhkLUwsQd5RvWTCBd FOs34s0HiMGt2AVq85D5H7ssu49GTiLkCkMHOSsVevmrN23/10SMxnvDTgR0mSTd8RKulcE2
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Extracted

Path C:\Boot\bg-BG\bootmgr.exe.mui.readme2unlock.txt
Ransom Note
Your network has been penetrated. All files on each host in the network have been encrypted with a strong algorythm. Backups were either encrypted or deleted or backup disks were formatted. Shadow copies also removed, so F8 or any other methods may damage encrypted data but not recover. We exclusively have decryption software for your situation No decryption software is available in the public. DO NOT RESET OR SHUTDOWN - files may be damaged. DO NOT RENAME OR MOVE the encrypted and readme files. DO NOT DELETE readme files. DO NOT use any recovery software with restoring files overwriting encrypted. This may lead to the impossibility of recovery of the certain files. To get info (decrypt your files) contact us at your personal page: 1. Download and install Tor Browser: https://www.torproject.org/download/ 2. After a successful installation, run the browser and wait for initialization. 3. Type in the address bar: http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c 4. Follow the instructions on the site 5. You should get in contact in 48 HOURS since your systems been infected. 6. The link above is valid for 7 days. After that period if you not get in contact your local data would be lost completely. 7. Questions? e-mail: btpsupport@protonmail.com If email not working - new one you can find on a tor page. The faster you get in contact - the lower price you can expect. DATA EAAAAPF6LnOdXM1ZjXQZNRwQE5QBAgAAEGYAAACkAABWI5sgI2Gz3+8TPrdC+GdwdVdQ7y+F3bOZ LSq3Gv9c3CFojYqXzGWts4vhdhAtIbJ3pxN+k9XfxekrT9o+fx0JtGiTWSrdGt5gUz6fooFnedhs x7V6km6RdAOMYb1x2bUUMY28puH9OfkKmzJia6bLsnL+8RZDhNQcbMhg4/DxtmzX7w8N6Clc0CbB Ps7kVogX+YlsG3XUa3/vt346y6O3yEjpFX/YQ0WX4VkdKfyf43v+cLBo06btpIAMJrYLAFzvz1u9 LccHkWusrpbvscrUh+F10QLbhM/oXyB0Yk8xLgSHP1jroGlE1WKKEaJ27JS3LM4vvvMs2ip2ex76 QtGD
Emails

btpsupport@protonmail.com

URLs

http://q7wp5u55lhtuafjtsl6lkt24z4wvon2jexfzhzqqfrt3bqnpqboyqoid.onion/order/b65dd758-e6bf-11e9-9468-00163eea179c

Targets
Target

DoppelPaymer.RANSOM.bin

MD5

8c54bbe3f191a8627bfeeb4cb02634a9

Filesize

3MB

Score
10/10
SHA1

2fc2ecbed153344557386e80a2fbd097bf795559

SHA256

f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555

SHA512

752d4bb22765373f7ee185acc42b73d5f2b75ae46ed995bf2f59486038a512eca30c5ecf040541cc2833df005ee17db00a0ec5ae802b677ff468f256ea53ecd2

Tags

Signatures

  • BitPaymer

    Description

    Bitpaymer is a Trojan horse that encrypts files on a computer.

    Tags

  • xmrig

    Description

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    Tags

  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Executes dropped EXE

  • Possible privilege escalation attempt

    Tags

  • Sets service image path in registry

    Tags

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies file permissions

    Tags

    TTPs

    File Permissions Modification
  • Checks whether UAC is enabled

    Tags

    TTPs

    System Information Discovery
  • Drops file in System32 directory

Related Tasks

MITRE ATT&CK Matrix
Collection
    Command and Control
      Credential Access
        Execution
          Exfiltration
            Initial Access
              Lateral Movement
                Privilege Escalation