Maze has used the "Wow64RevertWow64FsRedirection" function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection. It has also disabled Windows Defender's Real-Time Monitoring feature and attempted to disable endpoint protection services. Maze has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg.
#Using any maze software windows 7#
Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware the virtual machine's configuration file mapped the shared network drives of the target company, presumably so Maze can encrypt files on the shared drives as well as the local machine. while making connection with the C2, hindering detection efforts.
Maze has forged POST strings with a random choice from a list of possibilities including "forum", "php", "view", etc. Maze has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files. Maze has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. The Maze encryption process has used batch scripts with various commands. Ĭommand and Scripting Interpreter: Windows Command Shell
Maze has created a file named "startup_vrun.bat" in the Startup folder of a virtual machine to establish persistence. īoot or Logon Autostart Execution: Registry Run Keys / Startup Folder Maze has communicated to hard-coded IP addresses via HTTP.
Enterprise Layer download view Techniques Used DomainĪpplication Layer Protocol: Web Protocols