Advisory |
Malware Intelligence |
Name |
DoppelPaymer |
Type |
Ransomware |
Target OS |
Windows |
Affected Sectors |
Healthcare, emergency services, financial sectors, educational organizations. |
The latest victim of the DoppelPaymer ransomware attack is Apex Laboratory of Farmingdale, New York, which occurred on 31 December, 2020. The DoppelPaymer is reportedly operated by financially motivated threat group TA505, that deploys the Dridex banking trojan as a downloader for DoppelPaymer. The operators of DoppelPaymer also partnered with the Qakbot malware gang, wherein the Qakbot backdoor is responsible for initial access, privilege escalation, lateral movement, followed by which the DoppelPaymer gang takes control, deploying the ransomware.
DoppelPaymer ransomware distribution methods includes:
The encrypted files have extensions “.locked,” “.lock,” “.doppeled.”
Tactics |
Techniques |
|
Persistence |
T1197 | BITS Jobs |
T1547 | Boot or Logon Autostart Execution | |
Privilege Escalation |
T1547 | Boot or Logon Autostart Execution |
T1484 | Group Policy Modification | |
Defense Evasion |
T1197 | BITS Jobs |
T1484 | Group Policy Modification | |
T1036.004 | Masquerade Task or Service | |
Credential Access |
T1003 | OS Credential Dumping |
Discovery |
T1087 | Account Discovery |
Impact |
T1486 | Data Encrypted for Impact |
T1489 | Service Stop | |
T1529 | System Shutdown/Reboot |
IPv4 |
198.50.179.175 |
192.99.28.172 | |
88.220.65.41 | |
91.83.93.104 | |
FileHash-MD5 |
d00ee614e9afb8c41133b9e3e7c2b179 |
8b8f84d740c31988cd5efe08d0501168 | |
37f525421039fe452b1fccbf5c9df7aa | |
0ef5c94779cd7861b5e872cd5e922311 | |
FileHash-SHA1 |
278878140bcd82632ec23b466e7b9e046af62c11 |
a0a1ad8866a0d3be1fbb4ad9c2e17e25abc59303 | |
70211a3f90376bbc61f49c22a63075d1d4ddd53f0aefa976216c46e6ba39a9f4 | |
0f97f6d53fff47914174bc3a05fb016e2c02ed0b43c827e5e5aadba2d244aecc | |
801b04a1504f167c25f568f8d7cbac13bdde6440a609d0dcd64ebe225c197f9b | |
d4a0fe56316a2c45b9ba9ac1005363309a3edc7acf9e4df64d326a0ff273e80f | |
bd2c2cf0631d881ed382817afcce2b093f4e412ffb170a719e2762f250abfea4 | |
813d8020f32fefe01b66bea0ce63834adef2e725801b4b761f5ea90ac4facd3a | |
60ab87df9a77924e9f12484fa94f63fa4bb4c646072cf4b002492f59b1ee0103 | |
f658ddcf8e87de957a81bb92d44ce02913b427e8bccbe663669ee2613d355555 | |
67a0d7ea6792dfaf627ab3bbaa821c2d11269a48fc3308e1ad2f4abd297405fa |