The Maze ransomware has recently been making the news due to some high-profile infections. In addition to requesting, in some instances, ransoms of 6+ million USD to regain access to the files, the group behind the malware has also leaked some of these files if the ransom was not paid.
In this post, we will look at the detected behaviors and IOCs from the Maze ransomware as identified by RSA NetWitness Endpoint and Network.
The following is the malware sample tested within this post.
SHA256: fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
Execution of Maze
When the victim gets infected, he will 1st notice that some of his open applications, such as Word and Excel, will get closed. After some time, once the execution of the ransomware is completed, the user’s background will be changed as seen in the below screenshot, instructing the victim to pay the ransom.
The victim can also notice a new text file on his folder (which would get automatically open at reboot). The file provides the detailed instructions on how to do the payment.
RSA NetWitness Endpoint
By leveraging RSA NetWitness Endpoint, we can look at the behavior of the malware on the victim’s machine.
If we first look at the overall details for that specific workstation, we can see:
By going to the list of processes, we can see the “maze.exe” file (the filename could be different) with a risk score of 76 based on its behavior on the system, and with a known reputation of “Malicious” based on the file hash value.
If we then look at the loaded libraries, we can see that in fact, the ransomware has loaded a DLL in memory:
If we then look at the files to run at startup, we can see that the text files have been added to the startup folders, to get automatically opened at startup and display the payment instructions for the user:
If we finally look at the overall behavior of the ransomware on the system:
RSA NetWitness Network
By leveraging RSA NetWitness Network, we can then look at the behaviors the ransomware has done from the network’s perspective. In addition, from the Endpoint side, we already know and have confirmed that the ransomware has initiated connections to the Internet.
By filtering on outbound traffic over HTTP, we can identify multiple suspicious behaviors.
We can then go to the session reconstruction view to look in more details at one of those sessions.
By reconstructing the session, we can:
A combination of these different indicators does lead to identifying these suspicious network sessions initiated by the ransomware, including:
Indicators of Compromise
The below as some IOCs that could be used on RSA NetWitness Network and Endpoint to identify potential Maze infections in your environment. It should be noted that these are based on the specific variant tested as part of this post, and these could vary for different variants. It’s usually recommended to leverage behaviors and techniques instead of specific signatures, such as the ones discussed in this post under the RSA NetWitness Network and Endpoint sections, which would allow to overcome changes in specific signatures.
File Hash
MD5: e69a8eb94f65480980deaf1ff5a431a6
SHA-1: dcd2ab4540bde88f58dec8e8c243e303ec4bdd87
SHA-256: fc611f9d09f645f31c4a77a27b6e6b1aec74db916d0712bef5bce052d12c971f
IP Addresses
91.218.114.4
91.218.114.11
91.218.114.25
91.218.114.26
91.218.114.31
91.218.114.32
91.218.114.37
91.218.114.38
91.218.114.77
91.218.114.79
Domain Names (the malware doesn’t initiate connections there, but this is where the victim needs to go to for the payment/more info)
mazedecrypt[.]top
User-Agent
Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.