surtr | 32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1 | Triage

Submit
Reports

Overview

overview

Static

static

32f9e35d86...c1.exe

windows7-x64

32f9e35d86...c1.exe

windows10-2004-x64

Sharing

General

Target

32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1
Size

1.1MB
Sample

221110-jldxaahgen
MD5

674e7ee905d24a89af47b53b53ffc23c
SHA1

c6b73b882aa1f4d46ec655a5591a28638700856c
SHA256

32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1
SHA512

6a0623742423f2137a0a9285e6a590659f8436eeb1fd7c9bcb5e16ecbffa949ae82cf59ee9a49e614345b559a581cfe23c87afce028d1927335dc4938a9b0408
SSDEEP

24576:ibBzKGHF0bxTCFvXwKl/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoPGxFG4zmYw7A:wV4xTC4u4Qc6/F8bw4Nw

Score

10^/10

surtr evasion ransomware trojan

Static task

static1

2 signatures

Behavioral task

behavioral1

Sample

32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1.exe

Resource

win7-20220812-en

evasion ransomware

windows7-x64

10 signatures

150 seconds

Behavioral task

behavioral2

Sample

32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1.exe

Resource

win10v2004-20220812-en

evasion ransomware trojan

windows10-2004-x64

13 signatures

150 seconds

Malware Config

Targets

- Target
  
  32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1
- Size
  
  1.1MB
- MD5
  
  674e7ee905d24a89af47b53b53ffc23c
- SHA1
  
  c6b73b882aa1f4d46ec655a5591a28638700856c
- SHA256
  
  32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1
- SHA512
  
  6a0623742423f2137a0a9285e6a590659f8436eeb1fd7c9bcb5e16ecbffa949ae82cf59ee9a49e614345b559a581cfe23c87afce028d1927335dc4938a9b0408
- SSDEEP
  
  24576:ibBzKGHF0bxTCFvXwKl/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoPGxFG4zmYw7A:wV4xTC4u4Qc6/F8bw4Nw
Score

10^/10

evasion ransomware trojan
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

Persistence

Privilege Escalation

Bypass User Account Control

Defense Evasion

Bypass User Account Control

Disabling Security Tools

Modify Registry

File Deletion

Credential Access

Discovery

Query Registry

System Information Discovery

Peripheral Device Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

Data Destruction

Tasks

static1

behavioral1

evasionransomware

behavioral2

evasionransomwaretrojan

© 2018-2024

Terms | Privacy