Overview

overview

10

Static

static

8

459c6aa44a...12.exe

windows7-x64

10

459c6aa44a...12.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

  • Size

    333KB

  • Sample

    221109-tfstcsabc4

  • MD5

    393e9f112cc999ebd9333877bcc7535e

  • SHA1

    ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf

  • SHA256

    459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

  • SHA512

    021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83

  • SSDEEP

    6144:05qtAQ4n9hFPMRp8wayVlTrsusy6szJzHRhDK:MqtYHU8NqrskxHRhDK

Score
10/10
surtrevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (g3jzqW3IeJy28z) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (cJ6oH75fDMhErg) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

    • Size

      333KB

    • MD5

      393e9f112cc999ebd9333877bcc7535e

    • SHA1

      ed65581b6c3980b3ddf623a4d2f61ce08ce59bdf

    • SHA256

      459c6aa44a4e4a04d5f49a32b772d5f3452af77e1aa3fa528061f61e2dc8f712

    • SHA512

      021116a238f84e003ba6a5817b4d6ed27637ed6bc1d6d424533813d70964953c9deb1c62e94bae89db7c59f09dcc76ee5c92ad66c8e7688cd0d4643bc6d72c83

    • SSDEEP

      6144:05qtAQ4n9hFPMRp8wayVlTrsusy6szJzHRhDK:MqtYHU8NqrskxHRhDK

    Score
    10/10
    surtrevasionpersistenceransomwarespywarestealertrojanupx

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

File Deletion

2
T1107

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks