General

  • Target

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.zip

  • Size

    482KB

  • Sample

    221114-qkg1wabg72

  • MD5

    fff86878a49d75451bfd060175c9d907

  • SHA1

    0b09147af64b58cac4b9480c7458b45f36a27f99

  • SHA256

    6b1a255ffd81c4215a32258588140e0ad742605071ae14708ad3b83271d04f85

  • SHA512

    cfbbc6ebb2b1b69840fd0517e94064c7f8142383a5380e8a11375e59e656190d96afad66981dc6ee647e6b53259a167fb34d926ede85f57c4ad121c99a875895

  • SSDEEP

    12288:FEbj0RDQnj8m/8HjUXkubWyyLKow3I0N+e0CDN16K:GQDQjYobWyyLK5I9E6K

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (d75kolyhzzoec2) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

    • Size

      1.1MB

    • MD5

      ffc6b559c24b8d82afcb5c01bb5619d9

    • SHA1

      8e068e9c486769716d9685f85687b531ab3a88cf

    • SHA256

      b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

    • SHA512

      48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

    • SSDEEP

      24576:NyBzKGHF0bxTCFvXwKk/aISpu4Qc6F3v1HT2BzN2tgGS3YzYho1yWEsWbj28Q5m:AV4xTCzu4Qc6/F8S8bzQ

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

    • UAC bypass

    • Clears Windows event logs

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Sets desktop wallpaper using registry

MITRE ATT&CK Enterprise v6

Tasks