Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

8

Surtr.exe

windows7_x64

10

Surtr.exe

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Surtr.exe

  • Size

    191KB

  • Sample

    220302-jzmfkseab6

  • MD5

    664cf36657bf55f20cac44505d3bbb2c

  • SHA1

    a48f8089455201895757503255d0f573ce5d3c66

  • SHA256

    4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

  • SHA512

    42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

Score
10/10
evasionpersistenceransomwaretrojanupx

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note
What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( jic101rxx5u76w ) for the title of your email. if you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (jic101rxx5u76w) for the title of your email . If you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Extracted

Path

C:\ProgramData\Service\SURTR_README.txt

Ransom Note
What happened to your files? Unfortunately, your server was compromised, using a security hole in your server. All your files are encrypted with a military algorithm . in order to contact us you can email this address [email protected] use this ID( 0r6fjlh4j8u4ts ) for the title of your email. if you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters Only we can decrypt your files. Please do not contact separate fraudulent sites. You can use freeand even paid software on the Internet, but it is uselessand will cause you to lose filesand timeand money.

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (0r6fjlh4j8u4ts) for the title of your email . If you weren't able to contact us within 24 hours please email : Telegram id @Ransome_Decrypters If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      Surtr.exe

    • Size

      191KB

    • MD5

      664cf36657bf55f20cac44505d3bbb2c

    • SHA1

      a48f8089455201895757503255d0f573ce5d3c66

    • SHA256

      4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35

    • SHA512

      42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735

    Score
    10/10
    evasionpersistenceransomwaretrojanupx

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks