• Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Transform
      • SOC Consultancy
      •     SOC Maturity Assessment
      •     SOC Model Evaluation
      •     SOC Gap Analysis
      •     SIEM Gap Analysis
      •     SIEM Optimization
      •     SOC Content Pack
    • Train
      • Security Awareness and Training
      • Tabletop Exercise
      • Simulated Cyber Attack Exercises
    • Respond
      • Incident Response
      • Incident Analysis
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
Rewterz Threat Alert – Latest AgentTesla Malware – IOCs
June 23, 2020
Rewterz Threat Alert – Increased Office 365 Phishing Campaigns Attacks Related to COVID-19
June 23, 2020

Rewterz Threat Alert – Maze Ransomware

June 23, 2020

Severity

High

Analysis Summary

Maze ransomware sample found as the payload of a phishing campaign. The phishing email has an attached macro-embedded Word document. When enabled, the macro uses content from form boxes to identify the URL hosting the next stage payload and leverages either the URLDownloadToFileA() function or PowerShell to retrieve it. The second stage is a crypter that performs file and command-line argument checks before proceeding to load a base64-encoded data blob. After a series of decryption routines, the Maze ransomware payload is extracted along with shell code. The shellcode is simply responsible for injecting the DLL payload into memory. Upon initial execution, anti-debugging, anti-analysis, and location checks are performed. The first C2 check-in to a hardcoded IP is then performed, which sends the username, computer name, and OS Version to the attacker. Next, it identifies folders, files, and drives to be encrypted, creates the encryption key, and deletes backup files such as volume shadow copies. With these steps complete, encryption begins using the Cha-Cha algorithm with its key encrypted using RSA. Maze has also been distributed via exploit kits.

Impact

File encryption

Indicators of Compromise

MD5

  • 49b28f16ba496b57518005c813640eeb
  • bd9838d84fd77205011e8b0c2bd711e0

SHA-256

  • abdb008fc1eda389a471d18befd90d2f0d26d10f99b946da8165d8d44f6142d0
  • b345697c16f84d3775924dc17847fa3ff61579ee793a95248e9c4964da586dd1

SHA1

  • 181cdb33031c3c4fad6fde3dadc327298a38df58
  • c5938ec75e5b655be84eb94d73adec0f63fbce16

Remediation

  • Block all threat indicatros at your respective controls.
  • Search for IOCs in your existing environment.
  • Services
    • Asses
      • Compromise Assessment
      • APT Assessment
      • Penetration Testing
      • Secure Architecture Design & Review
      • Red Team Assessment
      • Purple Team Assessment
      • Social Engineering
      • Source Code Review
    • Respond
      • Incident Response
      • Incident Analysis
  • Transform
    • SOC Consultancy
    •     SOC Maturity Assessment
    •     SOC Model Evaluation
    •     SOC Gap Analysis
    •     SIEM Gap Analysis
    •     SIEM Optimization
    •     SOC Content Pack
  • Train
    • Security Awareness and Training
    • Tabletop Exercise
    • Simulated Cyber Attack Exercises
  • Managed Security
    • Managed Security Monitoring
      • Remote SOC
      • Onsite SOC
      • Hybrid SOC
    • Managed Security Services
      • Managed Detection and Response
      • Managed Endpoint Detection and Response
      • Managed Threat Intelligence
      • Managed Threat Hunting
      • Managed Risk-Based SOAR
      • Managed Penetration Testing
  • Solutions
  • Resources
    • Blog
    • Threat Advisory
  • Company
    • About Us
    • Careers
    • Contact
COPYRIGHT © REWTERZ. ALL RIGHTS RESERVED.