7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b

General

Target

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin
Size

1.2MB
Sample

220101-zjrclaaaa5
MD5

09d73a4f9a9b1f31e90978e5f32f97cd
SHA1

6482d6d44f2ec6a9477d365a7d547ae86724da5f
SHA256

7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b
SHA512

f3afb2ce031d58063a66642dc07c535e35f3ead6c6c88b5104177a37d15082d7680a18e0a1ee349f7b2bdcaa0ac36f5e2d07ff49b6696e21039e5338d73d7147

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( 0xweYLUpVbTohp ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (0xweYLUpVbTohp) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note

What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( jGUfErCxJWb1te ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Emails

[email protected]

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (jGUfErCxJWb1te) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Targets

- Target
  
  7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b.bin
- Size
  
  1.2MB
- MD5
  
  09d73a4f9a9b1f31e90978e5f32f97cd
- SHA1
  
  6482d6d44f2ec6a9477d365a7d547ae86724da5f
- SHA256
  
  7dfcbf301686c56d31874642114b1c6ff8f78dfd76f4b88c2f056b7aff8fb19b
- SHA512
  
  f3afb2ce031d58063a66642dc07c535e35f3ead6c6c88b5104177a37d15082d7680a18e0a1ee349f7b2bdcaa0ac36f5e2d07ff49b6696e21039e5338d73d7147
Score

10^/10

evasion persistence ransomware spyware stealer trojan upx
- UAC bypass
  evasion trojan
- Clears Windows event logs
  evasion ransomware
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Blocklisted process makes network request
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Drops startup file
- Reads user/profile data of web browsers
  Infostealers often target stored browser data, which can include saved credentials etc.
  spyware stealer
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2