Maze
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Maze has communicated to hard-coded IP addresses via HTTP.(Citation: McAfee Maze March 2020) |
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence.(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
The Maze encryption process has used batch scripts with various commands.(Citation: FireEye Maze May 2020)(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1564 | .006 | Hide Artifacts: Run Virtual Instance |
Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine.(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.(Citation: McAfee Maze March 2020) It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services.(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
Maze operators have created scheduled tasks masquerading as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update" designed to launch the ransomware.(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
Maze has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process.(Citation: McAfee Maze March 2020) |
| Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection |
Maze has injected the malware DLL into a target process.(Citation: McAfee Maze March 2020)(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
Maze has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch Maze at a specific time.(Citation: Sophos Maze VM September 2020) |
| Enterprise | T1218 | .007 | System Binary Proxy Execution: Msiexec |
Maze has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using |
| Enterprise | T1614 | .001 | System Location Discovery: System Language Discovery |
Maze has checked the language of the machine with function |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0037 | FIN6 |
(Citation: FireEye Maze May 2020) |
| G0046 | FIN7 |
(Citation: Microsoft Ransomware as a Service) |
References
- Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020.
- Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020.
- Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020.
- Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.