General

  • Target

    32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1.zip

  • Size

    483KB

  • Sample

    221115-g11cqafb88

  • MD5

    a053c6123c1b631bec3fbf969d767621

  • SHA1

    2d68adbeb898c66592f6132ac02a64f0f1ad8359

  • SHA256

    e69ccc9b966b37285ccdf38d11580183d1adf921791ed1ce25da6ef8dbc76658

  • SHA512

    ac2fa71dd05c3136ac2757812ba04080ae9f46046312334a09fa0685e70fd89d3a737d20bc08ab158f5fafeae7e4e5d96dae7cfd68a16e7c4943b96a58b72de3

  • SSDEEP

    12288:UyCTWiWoJYMqLxhLmvQyZpb0qVDtpGzdG2h9gcr:/Coopql1iQspb0SKzh9vr

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (308qod4yzz1vfq) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1.exe

    • Size

      1.1MB

    • MD5

      674e7ee905d24a89af47b53b53ffc23c

    • SHA1

      c6b73b882aa1f4d46ec655a5591a28638700856c

    • SHA256

      32f9e35d861d166a7ae22eb24f50ab0fb1adedc9f1ae5f1ce2c76e3268b2b4c1

    • SHA512

      6a0623742423f2137a0a9285e6a590659f8436eeb1fd7c9bcb5e16ecbffa949ae82cf59ee9a49e614345b559a581cfe23c87afce028d1927335dc4938a9b0408

    • SSDEEP

      24576:ibBzKGHF0bxTCFvXwKl/aISpu4Qc6F3v1HT2BzN2tgGS3YzYhoPGxFG4zmYw7A:wV4xTC4u4Qc6/F8bw4Nw

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

    • UAC bypass

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies boot configuration data using bcdedit

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

    • Disables Task Manager via registry modification

    • Disables use of System Restore points

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

MITRE ATT&CK Enterprise v6

Tasks