WannaCry Ransomware Worm Leveraging CVE-2017-0147 For Propagation

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File

451m4si.exe

Type

Win32 Executable MS Visual C++ (generic)

SHA‑1

44c267fda7b064e73a1b5b0b2aed66177f243fa2

MD5

8500f29df843d0d7205db4fd581e7ba3

First Seen

2025-12-01 14:07:32.665598

Last Analysis

2025-12-01 21:28:46.616835

Dwell Time

0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 7+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC)	Event	Elapsed
2025-11-11 00:32:42 UTC	First VirusTotal submission	—
2025-12-03 21:11:10 UTC	Latest analysis snapshot	22 days, 20 hours, 38 minutes
2025-12-04 08:24:55 UTC	Report generation time	23 days, 7 hours, 52 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 65. Missed: 7. Coverage: 90.3%.

Detected Vendors

Xcitium
+64 additional vendors (names not provided)

List includes Xcitium plus an additional 64 vendors per the provided summary.

Missed Vendors

Acronis
CMC
Google
google_safebrowsing
SUPERAntiSpyware
TACHYON
tehtris

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

This threat shows heavy registry manipulation (44.27% of total behavior), indicating persistent backdoor installation, configuration tampering, or system policy modification attempts. The malware likely establishes persistence mechanisms and modifies security settings to maintain long-term access.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category	Weight	Percentage
Registry	116	44.27%
System	100	38.17%
Threading	17	6.49%
Network	9	3.44%
File System	8	3.05%
Services	6	2.29%
Process	5	1.91%
Crypto	1	0.38%

MITRE ATT&CK Mapping

T1129 – link function at runtime on Windows
T1082 – get number of processors
T1083 – get file size
T1543.003 – persist via Windows service
T1569.002 – persist via Windows service
T1543.003 – start service
T1543.003 – create service
T1569.002 – create service
T1543.003 – modify service
T1569.002 – modify service
T1016 – get socket status
T1027.005 – contain obfuscated stackstrings

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain	IP	Country	ASN/Org
www.msftncsi.com	23.200.3.27	United States	Akamai Technologies, Inc.
www.aieov.com	13.248.169.48	United States	Amazon Technologies Inc.

Observed IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

DNS Queries

Request	Type
www.msftncsi.com	A
5isohu.com	A
www.aieov.com	A

Contacted IPs

IP	Country	ASN/Org
224.0.0.252	—	—
239.255.255.250	—	—
8.8.4.4	United States	Google LLC
8.8.8.8	United States	Google LLC

Port Distribution

Port	Count	Protocols
137	1	udp
138	1	udp
5355	5	udp
53	10	udp
3702	1	udp

UDP Packets

Source IP	Dest IP	Sport	Dport	Time	Proto
192.168.56.11	192.168.56.255	137	137	7.293710947036743	udp
192.168.56.11	192.168.56.255	138	138	13.293085098266602	udp
192.168.56.11	224.0.0.252	49563	5355	7.2218170166015625	udp
192.168.56.11	224.0.0.252	54650	5355	7.223717927932739	udp
192.168.56.11	224.0.0.252	55601	5355	7.77789306640625	udp
192.168.56.11	224.0.0.252	60205	5355	7.232243061065674	udp
192.168.56.11	224.0.0.252	62798	5355	9.782684087753296	udp
192.168.56.11	239.255.255.250	62184	3702	7.229140996932983	udp
192.168.56.11	8.8.4.4	51690	53	10.339463949203491	udp
192.168.56.11	8.8.4.4	51899	53	9.793497085571289	udp
192.168.56.11	8.8.4.4	56213	53	40.0903799533844	udp
192.168.56.11	8.8.4.4	59770	53	54.74604797363281	udp
192.168.56.11	8.8.4.4	63439	53	25.699410915374756	udp
192.168.56.11	8.8.8.8	51690	53	11.32474398612976	udp
192.168.56.11	8.8.8.8	51899	53	10.79331111907959	udp
192.168.56.11	8.8.8.8	56213	53	39.09055304527283	udp
192.168.56.11	8.8.8.8	59770	53	53.746861934661865	udp
192.168.56.11	8.8.8.8	63439	53	24.699700117111206	udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Zero‑Dwell Threat Intelligence Report