Overview

overview

10

Static

static

Surtr.exe

windows7_x64

10

Surtr.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Surtr.exe

  • Size

    383KB

  • Sample

    220121-dt7axadbbn

  • MD5

    709fedc6247f6c7a93dd570e15010dbe

  • SHA1

    a3b061339364f053f521c894b0d5f08516fee493

  • SHA256

    267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33

  • SHA512

    b6379dc973322b4e46fb79c5b88de30a763fe373cb5381e9d64b6ea56e33a6bb95529e970a53770337a3373efe48a766b9663421e901225da2fe6d1e245d118c

Score
10/10
surtrevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note
What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( VdfyMMNFVER12f ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (VdfyMMNFVER12f) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note
What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( AB3W6wRDMLbZ8u ) for the title of your email. if you weren't able to contact us within 24 hours please email : [email protected] Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (AB3W6wRDMLbZ8u) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      Surtr.exe

    • Size

      383KB

    • MD5

      709fedc6247f6c7a93dd570e15010dbe

    • SHA1

      a3b061339364f053f521c894b0d5f08516fee493

    • SHA256

      267fa786176679a2d99bf4d47cbcd8591640452ff393af7d61cfd5c0d8e67f33

    • SHA512

      b6379dc973322b4e46fb79c5b88de30a763fe373cb5381e9d64b6ea56e33a6bb95529e970a53770337a3373efe48a766b9663421e901225da2fe6d1e245d118c

    Score
    10/10
    surtrevasionpersistenceransomwarespywarestealertrojanupx

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Sets service image path in registry

      persistence

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks