surtr

General

Target

5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b
Size

190KB
Sample

221021-j8lkmsbbg3
MD5

5409ee640663b8d1f520af46c1146c0e
SHA1

73eebd0dd94ce3d161a7f191196b8bcc354af55a
SHA256

5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b
SHA512

dbaf6fdb7ae2dcbbce17aa9c1fc1932a054a024c9f32db8f8c810c9023480476a508397ae9a5e231ba27ce85c6d402b0ce5beb63a4b7fcb20702af9d1ec7f82a
SSDEEP

3072:R1WTpHdp+hKaf5fVZ5/u63YbFVOppyis6h83ZHZZfKmJZGexxVAdueB+out:qHr85x/u6IbFVSyiJOpHTfNA6VxeB+oS

Score

10^/10

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note

SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (t0pq1466jbkptx) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Emails

[email protected]

Targets

- Target
  
  5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b
- Size
  
  190KB
- MD5
  
  5409ee640663b8d1f520af46c1146c0e
- SHA1
  
  73eebd0dd94ce3d161a7f191196b8bcc354af55a
- SHA256
  
  5c8abbfaf7902307dd307563abd7c06fa90424f82f6327401acca1586f05191b
- SHA512
  
  dbaf6fdb7ae2dcbbce17aa9c1fc1932a054a024c9f32db8f8c810c9023480476a508397ae9a5e231ba27ce85c6d402b0ce5beb63a4b7fcb20702af9d1ec7f82a
- SSDEEP
  
  3072:R1WTpHdp+hKaf5fVZ5/u63YbFVOppyis6h83ZHZZfKmJZGexxVAdueB+out:qHr85x/u6IbFVSyiJOpHTfNA6VxeB+oS
Score

10^/10

surtr evasion ransomware upx persistence trojan
- Deletes NTFS Change Journal
  The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.
  ransomware
- Detects Surtr Payload
- Surtr
  Ransomware family first seen in late 2021.
  ransomware surtr
- UAC bypass
  evasion trojan
- Deletes shadow copies
  Ransomware often targets backup files to inhibit system recovery.
  ransomware
- Modifies boot configuration data using bcdedit
  ransomware evasion
- Deletes backup catalog
  Uses wbadmin.exe to inhibit system recovery.
  ransomware
- Disables Task Manager via registry modification
  evasion
- Disables use of System Restore points
  evasion
- UPX packed file
  Detects executables packed with UPX/modified UPX open source packer.
  upx
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops startup file
- Adds Run key to start application
  persistence
- Drops desktop.ini file(s)
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2