Halim Abouzeid

WannaCry from the RSA NetWitness Suite's Perspective

Blog Post created by Halim Abouzeid Employee on May 14, 2017

In this post, I will quickly go through some aspects of the WannaCry ransomware from the perspective of RSA NetWitness Endpoint and Packets. This would allow to help detect, investigate and analyze such compromises.



If we first look at the modules dropped by the malware, we can see 5 main modules.

4 of the modules are labeled as "Malicious" based on the reputation database.

We can also see that all of them have a relatively high IIOC score.


If we look at the below triggered IIOCs which caused those scores, we can see some behaviors typical of ransomware:

- "Deletes shadow volume copies" (to stop the recovery of encrypted files)

- "Rapidly reads multiple documents" (triggered during the encryption of the documents)

- "Modifies run key"(to run at startup)

- "Beacon" (due to communication with C2)



If we now analyse the @WannaDecryptor@.exe file (right click, Analyse Module), we can see some artifacts that can help us understand the behavior, such as:

- References to the generation of encryption keys ("CryptGenKey")

- Hard-coded commands, such as the deletion of the shadow volume copies using vssadmin


- Or even the list of file extensions the WannaCry ransomware looks for to encrypt



Now, to look how the WannaCry ransomware infects the machine, we can look at the tracking module, having visibility over the command line arguments as well, and check the behavior in chronological order:

- (1) It first drops the payloads

- (2) It then sets the directory as hidden (as reflected in the triggered IIOCs seen earlier) using "attrib.exe"

- (3) It grants full access to all users using "icacls.exe"

- It writes and executes a batch file and a vbs script

- (4) Documents start to get encrypted


If we continue looking at the behavior tracking, we can see that the malware starts copying the @WanaDecryptor@.exe file to multiple locations on disk:



Finally, once the encryption is completed, it does the following:

- (1) It executes the @WanaDecryptor@.exe file which displays the warning message and countdown to the user

- (2) It drops the files needed to run tor.exe, which is used to communicate with the C2

- (3) It modifies the run registry key

- (4) It deletes the shadow volume copies




If we now have a look from RSA NetWitness Packets' perspective, we can easily and quickly identify the following based on the default parsers and RSA Live Feeds:

- Tunneling using tor (in "Risk: Suspicious")

- Identify access to the tor network, C2 and Crimeware (in "Threat Category")

- The use of SMB and Netbios which is used by the malware to propagate itself

- Access to suspicious looking domain names



It would also be possible to reconstruct those sessions if needed.