Overview

overview

10

Static

static

10

32f9e35d86...c1.exe

windows7-x64

10

32f9e35d86...c1.exe

windows10-2004-x64

10

abd49fd6f5...14.exe

windows7-x64

10

abd49fd6f5...14.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8367864101.zip

  • Size

    979KB

  • Sample

    221114-d417msef26

  • MD5

    932cbc0036a7bbd8608c8b37e1c62107

  • SHA1

    24ce74cc99a1de006c75efdcb283dce32798c840

  • SHA256

    6d6574e74ba62be38aa98daca0afab87a809d956a4ed0b2adb216940df5fdb04

  • SHA512

    0d186f54209e60899bf1923aa2e1a1fc4822ec9837d94a2d226caebdded97732c6c7773e2a7c15ed6ad769612b39ec739dfea4b8f2059aea5381d0e6acf2f7ae

  • SSDEEP

    24576:VedweGUoWlXpi1dMD2IRJQwCPJ3Xs5k87yXr:Ved4TWlX81Gb6PJM+Jb

Score
10/10
surtrevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (okvd1x8i6h1pch) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (3w6r82pc4b3jym) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1

    • Size

      1.1MB

    • MD5

      674e7ee905d24a89af47b53b53ffc23c

    • SHA1

      c6b73b882aa1f4d46ec655a5591a28638700856c

    • SHA256

      32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1

    • SHA512

      6a0623742423f2137a0a9285e6a590659f8436eeb1fd7c9bcb5e16ecbffa949ae82cf59ee9a49e614345b559a581cfe23c87afce028d1927335dc4938a9b0408

    • SSDEEP

      24576:ibBzKGHF0bxTCFvXwKl/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoPGxFG4zmYw7A:wV4xTC4u4Qc6/F8bw4Nw

    Score
    10/10
    evasionransomwaresurtrpersistencetrojan

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

    • Target

      abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14

    • Size

      1.1MB

    • MD5

      ad539ebdf9e34e02be487134cf9a6713

    • SHA1

      b5af8a12c5a6ed369debaad7eab59e3cb1715e2d

    • SHA256

      abd49fd6f57d4f0ffef794257692c61b2089ee412ae27fe36a9ffee41f9d5e14

    • SHA512

      386291d7dd9fa62f7514e784a238bd7a5099a0d2edd8af6085c61e3953a6914faf3dc299f07d56bed3b5b337a18c8b636c84f88693d3bc2512f8dfd51e711492

    • SSDEEP

      24576:g3BzKGHF0bxTCFvXwKt/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoHWxVGI8WIQbQ:KV4xTCwu4Qc6/F87gIwQ

    Score
    10/10
    evasionransomwaresurtrpersistencetrojan

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral3behavioral4

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

2
T1059

Scheduled Task

2
T1053

Persistence

Registry Run Keys / Startup Folder

2
T1060

Scheduled Task

2
T1053

Hidden Files and Directories

2
T1158

Privilege Escalation

Bypass User Account Control

2
T1088

Scheduled Task

2
T1053

Defense Evasion

Bypass User Account Control

2
T1088

Disabling Security Tools

2
T1089

Modify Registry

4
T1112

File Deletion

6
T1107

Hidden Files and Directories

2
T1158

Credential Access

Discovery

Query Registry

6
T1012

System Information Discovery

8
T1082

Peripheral Device Discovery

4
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Inhibit System Recovery

12
T1490

Data Destruction

2
T1485

Tasks