Overview

overview

10

Static

static

surtr.exe

windows7-x64

10

surtr.exe

windows10-2004-x64

10

Resubmissions

01-11-2022 14:02

221101-rckx8sddcn 10

24-12-2021 07:08

211224-hx8qcscee3 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    surtr.exe

  • Size

    320KB

  • Sample

    221101-rckx8sddcn

  • MD5

    e6fc190168519d6a6c4f1519e9450f0f

  • SHA1

    af2080ddf1064fb80c7b9af942aaabf264441098

  • SHA256

    8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

  • SHA512

    4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

  • SSDEEP

    6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK

Score
10/10
surtrevasionpersistenceransomwarespywarestealertrojanupx

Malware Config

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID (lvBMGdsBHowF3m) for the title of your email . If you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible
Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Extracted

Path

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . If you do not pay the fee within one month , your important files will be published in our public belog . Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address DecryptMyData@mailfence.com use this ID (zD1C7YS8iVTbvc) for the title of your email . If you weren't able to contact us within 24 hours please email : Decrypter@msgsafe.io If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible
Emails

DecryptMyData@mailfence.com

Decrypter@msgsafe.io

Targets

    • Target

      surtr.exe

    • Size

      320KB

    • MD5

      e6fc190168519d6a6c4f1519e9450f0f

    • SHA1

      af2080ddf1064fb80c7b9af942aaabf264441098

    • SHA256

      8199ef63e0058be6217ec8392258fbe7fac9fb556b8e87f40a3a45835f424980

    • SHA512

      4522d4e3f8a38dbceb30d09ea04ceeacc33bb273d702d706be68405cd4c9492f862f4ae741f4e0140b54203b3db521e96663f9757bb241b1ac63c1eda3ebb6ba

    • SSDEEP

      6144:Q4K8rYBWqjbqL7busNWGl3GDmm+miR9zrmkdAZ:Q46QKbQJNDl3cmgiRlK

    Score
    10/10
    surtrevasionpersistenceransomwarespywarestealertrojanupx

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Clears Windows event logs

      evasionransomware

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • rans

      .

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx

    • Drops startup file

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Adds Run key to start application

      persistence

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Registry Run Keys / Startup Folder

1
T1060

Scheduled Task

1
T1053

Hidden Files and Directories

1
T1158

Privilege Escalation

Bypass User Account Control

1
T1088

Scheduled Task

1
T1053

Defense Evasion

Bypass User Account Control

1
T1088

Disabling Security Tools

1
T1089

Modify Registry

2
T1112

Indicator Removal on Host

1
T1070

File Deletion

2
T1107

Hidden Files and Directories

1
T1158

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

Peripheral Device Discovery

1
T1120

System Information Discovery

1
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Inhibit System Recovery

4
T1490

Tasks