Contact Us

WannaCry from the RSA NetWitness Suite’s Perspective

In this post, I will quickly go through some aspects of the WannaCry ransomware from the perspective of RSA NetWitness Endpoint and Packets. This would allow to help detect, investigate and analyze such compromises.

If we first look at the modules dropped by the malware, we can see 5 main modules.

4 of the modules are labeled as Malicious based on the reputation database.

We can also see that all of them have a relatively high IIOC score.

If we look at the below triggered IIOCs which caused those scores, we can see some behaviors typical of ransomware:

  • Deletes shadow volume copies (to stop the recovery of encrypted files)
  • Rapidly reads multiple documents" (triggered during the encryption of the documents)
  • Modifies run key"(to run at startup)
  • Beacon" (due to communication with C2)

If we now analyse the @WannaDecryptor@.exe file (right click, Analyse Module), we can see some artifacts that can help us understand the behavior, such as:

  • References to the generation of encryption keys ("CryptGenKey")
  • Hard-coded commands, such as the deletion of the shadow volume copies using vssadmin

  • Or even the list of file extensions the WannaCry ransomware looks for to encrypt

Now, to look how the WannaCry ransomware infects the machine, we can look at the tracking module, having visibility over the command line arguments as well, and check the behavior in chronological order:

(1) It first drops the payloads

(2) It then sets the directory as hidden (as reflected in the triggered IIOCs seen earlier) using "attrib.exe"

(3) It grants full access to all users using "icacls.exe"

  • It writes and executes a batch file and a vbs script

(4) Documents start to get encrypted

If we continue looking at the behavior tracking, we can see that the malware starts copying the @WanaDecryptor@.exe file to multiple locations on disk:

Finally, once the encryption is completed, it does the following:

(1) It executes the @WanaDecryptor@.exe file which displays the warning message and countdown to the user

(2) It drops the files needed to run tor.exe, which is used to communicate with the C2

(3) It modifies the run registry key

(4) It deletes the shadow volume copies

If we now have a look from RSA NetWitness Packets' perspective, we can easily and quickly identify the following based on the default parsers and RSA Live Feeds:

  • Tunneling using tor (in Risk: Suspicious)
  • Identify access to the tor network, C2 and Crimeware (in Threat Category)
  • The use of SMB and Netbios which is used by the malware to propagate itself
  • Access to suspicious looking domain names

It would also be possible to reconstruct those sessions if needed.

 

Reference : community.rsa.com

Share to:

Vendor Category

Client Device
Networking Technology
Modernize Software
Agile Infrastructure
Enhanced Data Protection
Advanced Security

Insight

News & Articles
Digital Content

Company

Career

About Us

Contact Us

Facebook Instagram Youtube Linkedin Icon-twitter-x

Subscribe Our Newsletter

Privacy Policy

PT Virtus Technology Indonesia (“VTI” or “us”) is strongly committed to ensuring that your privacy is protected as utmost importance to us. https://www.virtusindonesia.com/, we shall govern your use of this website, including all pages within this website (collectively referred to herein below as this “Website”), we want to contribute to providing a safe and secure environment for visitors.The following are terms of privacy policy (“Privacy Policy”) between you (“you” or “your”) and VTI. By accessing the website, you acknowledge that you have read, understood and agree to be bound by this Privacy Policy.
Use of The Subscription Service by VTI and Our Customers
When you request information from VTI and supply information that personally identifies you or allows us to contact you, you agree to disclose that information with us. VTI may disclose such information for marketing, promotional and activity only for the purpose of VTI and the Website.
Collecting Information
You are free to explore the Website without providing any personal information about yourself. When you visit the Website or register for the subscription service, we provide some navigational information for you to fill out your personal information to access some content we offered.VTI may collect your personal data such as your name, email address, company name, phone number and other information about yourself or your business. We are collecting your data in some ways, online and offline. VTI collects your data online using features of social media, email marketing, website, and cookies technology. We may collect your data offline in events like conference, gathering, workshop, etc. However, we will not use or disclose those informations with third party or send unsolicited email to any of the addresses we collect, without your express permission. We ensure that your personal identities will only be used in accordance with this Privacy Policy.
How VTI Use the Collected Information
VTI use the information that is collected only in compliance with this privacy policy. Customers who subscribe to our subscription services are obligated through our agreements with them to comply with this Privacy Policy.
In addition to the uses of your information, we may use your personal information to:
Improve your browsing experience by personalizing the websites and to improve the subscription services.
Send information about VTI.
Promote our services to you and share promotional and informational content with you in accordance with your communication preferences.Send information to you regarding changes to our customers’ terms of service, Privacy Policy (including the cookie policy), or other legal agreements
Cookies Technology
Cookies are small pieces of data that the site transfers to the user’s computer hard drive when the user visits the website. Cookies can record your preferences when visiting a particular site and give the advantage of identifying the interest of our visitor for statistical analysis of our site. This information can enable us to improve the content, modifying and making our site more user friendly.Cookies were used for some reasons such as technical reasons for our website to operate. Cookies also enable us to track and target the interest of our users to enhance the experience of our website and subscription service. This data is used to deliver customized content and promotions within the VTI to customers who have an interest on particular subjects.You have the right to decide whether to accept or refuse cookies. You can edit your cookies preferences on browser setup. If you choose to refuse the cookies, you may still use our website though your access to some functionality and areas of our website may be restricted.This Website may also display advertisements from third parties containing links to other websites of interest. Once you have used these links to leave our site, please note that we do not have any control over the website. VTI cannot be responsible for the protection and privacy of any information that you provide while visiting such websites and this Privacy Policy does not govern such websites.
Control Your Personal Data
VTI give control to you to manage your personal data. You can request access, correction, updates or deletion of your personal information. You may unsubscribe from our marketing activity by clicking unsubscribe us from the bottom of our email or contacting us directly to remove you from our subscription listWe will keep your personal information accurate, and we allow you to correct or change your personal identifiable information through marketing@virtusindonesia.com