Overview

overview

10

Static

static

10

b88fe97196...d0.exe

windows7-x64

9

b88fe97196...d0.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.zip

  • Size

    482KB

  • Sample

    221115-gt3t9sfb74

  • MD5

    c43b82e2d1c2a6d96640349b0dc17d40

  • SHA1

    885645e937f663551e86ee32c4d690097ca6b352

  • SHA256

    7f5500562fc0e7350550841de9333f51b21c79e3a395558d397d356e1bb29f5e

  • SHA512

    7974ff94bb1913526b9f8e09e963a602c17468baef2f57568781f6fdc91462c911a06038caec4c467749dd41829b79123cb54518cc11679c2a4fc7d4e726d3c2

  • SSDEEP

    12288:/Q5RmMN62TCq3E3K4dPjIatZ68idn3m1gV:i6+CZzIazifV

Score
10/10
surtrevasionpersistenceransomwaretrojan

Malware Config

Extracted

Path

C:\ProgramData\Service\SURTR_README.hta

Family

surtr

Ransom Note
SurtrRansomware OOPS ALL YOUR IMPORTANT FILES HAVE BEEN ENCRYPTED AND STOLEN !! Notice : There is only one way to restore your data read the boxes carefully! Attention : Do Not change file names. Do Not try to decrypt using third party softwares , it may cause permanent data loss . your files will be sold on the Dark Web after 15 days. Imagine 1 million hackers have all your information including files, IP, name and number and location and ... Do not pay any money before decrypting the test files. You can use our 50% discount if you pay the fee within first 15 days of encryption . otherwise the price will be doubled. In order to warranty you , our team will decrypt 3 of your desired files for free.but you need to pay the specified price for the rest of the operation . How To Decrypt : Your system is offline . in order to contact us you can email this address [email protected] use this ID (ocsrbkxk57oqbr) for the title of your email . If you weren't able to contact us within 24 hours please email : [email protected] If you didn't get any respond within 48 hours use this link (Not Available Now).send your ID and your cryptor name (SurtrRansomwareUserName) therefore we can create another way to contact you as soon as possible

Targets

    • Target

      b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0.exe

    • Size

      1.1MB

    • MD5

      ffc6b559c24b8d82afcb5c01bb5619d9

    • SHA1

      8e068e9c486769716d9685f85687b531ab3a88cf

    • SHA256

      b88fe97196d3ea799b1e708ab452e9a61f9380a8b27a82f03575f5f046b036d0

    • SHA512

      48cf29ecbf184f9d96b9db95190657604c7fb9570046abbeba70d99c6748afbea5f698bb4bb91b1b9b3b3ab7abc56c36a3230aa20c58a99269fe0a4884522191

    • SSDEEP

      24576:NyBzKGHF0bxTCFvXwKk/aISpu4Qc6F3v1HT2BzN2tgGS3YzYho1yWEsWbj28Q5m:AV4xTCzu4Qc6/F8S8bzQ

    Score
    10/10
    evasionransomwaresurtrpersistencetrojan

    • Deletes NTFS Change Journal

      The USN change journal is a persistent log of all changes made to local files used by Windows Server systems.

      ransomware

    • Detects Surtr Payload

    • Surtr

      Ransomware family first seen in late 2021.

      ransomwaresurtr

    • UAC bypass

      evasiontrojan

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Deletes backup catalog

      Uses wbadmin.exe to inhibit system recovery.

      ransomware

    • Disables Task Manager via registry modification

      evasion

    • Disables use of System Restore points

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks