WannaCrypt Executable Exhibiting Classic Worm And Filecoder Behavior


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-04 09:42:06 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
eeho4w.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
e7415b34a1a4aea09ba32684882bd91658947046
MD5
3a4b1aa500f2fe9319a0021a772af5ec
First Seen
2025-12-01 14:08:46.812573
Last Analysis
2025-12-01 21:28:47.765417
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 7+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-11-11 00:33:33 UTC First VirusTotal submission
2025-12-03 21:12:30 UTC Latest analysis snapshot 22 days, 20 hours, 38 minutes
2025-12-04 09:42:06 UTC Report generation time 23 days, 9 hours, 8 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 73. Detected as malicious: 66. Missed: 7. Coverage: 90.4%.

Detected Vendors

  • Xcitium
  • +65 additional vendors (names not provided)

List includes Xcitium plus an additional 65 vendors per the provided summary.

Missed Vendors

  • Acronis
  • CMC
  • Google
  • SUPERAntiSpyware
  • TACHYON
  • tehtris
  • VirIT

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

Behavioral Storyline — How the Malware Operates

Significant process manipulation (57.69% of behavior) suggests code injection, process hollowing, or privilege escalation techniques. The malware is actively compromising running processes to hide its activities.

Behavior Categories (weighted)

Weight values represent the frequency and intensity of malware interactions with specific system components. Higher weights indicate more aggressive targeting of that category. Each operation (registry access, file modification, network connection, etc.) contributes to the category’s total weight, providing a quantitative measure of the malware’s behavioral focus.

Category Weight Percentage
Process 22490 57.69%
System 5999 15.39%
File System 4442 11.40%
Registry 4254 10.91%
Misc 928 2.38%
Threading 398 1.02%
Device 228 0.58%
Com 80 0.21%
Network 50 0.13%
Services 41 0.11%
Crypto 35 0.09%
Synchronization 22 0.06%
Hooking 11 0.03%
Windows 3 0.01%

MITRE ATT&CK Mapping

  • T1082 – get number of processors
  • T1083 – get file size
  • T1543.003 – create service
  • T1569.002 – create service
  • T1016 – get socket status
  • T1543.003 – start service
  • T1129 – link function at runtime on Windows
  • T1543.003 – persist via Windows service
  • T1569.002 – persist via Windows service
  • T1027.005 – contain obfuscated stackstrings
  • T1543.003 – modify service
  • T1569.002 – modify service

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.aieov.com 76.223.54.146 United States Amazon.com, Inc.
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com 185.150.189.29 Netherlands ReliableSite.Net LLC
www.msftncsi.com 23.200.3.31 United States Akamai Technologies, Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

DNS Queries

Request Type
www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwff.com A
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC

Port Distribution

Port Count Protocols
137 1 udp
5355 7 udp
53 70 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 7.285176992416382 udp
192.168.56.13 224.0.0.252 49311 5355 9.112361907958984 udp
192.168.56.13 224.0.0.252 54879 5355 9.786019086837769 udp
192.168.56.13 224.0.0.252 54881 5355 9.224287033081055 udp
192.168.56.13 224.0.0.252 55150 5355 7.2207770347595215 udp
192.168.56.13 224.0.0.252 57310 5355 22.720916986465454 udp
192.168.56.13 224.0.0.252 62406 5355 7.226228952407837 udp
192.168.56.13 224.0.0.252 63527 5355 8.276556968688965 udp
192.168.56.13 239.255.255.250 52252 3702 7.234061002731323 udp
192.168.56.13 8.8.4.4 50554 53 84.05077505111694 udp
192.168.56.13 8.8.4.4 52284 53 383.26917600631714 udp
192.168.56.13 8.8.4.4 53518 53 163.91129207611084 udp
192.168.56.13 8.8.4.4 53825 53 349.62877202033997 udp
192.168.56.13 8.8.4.4 53985 53 286.15107107162476 udp
192.168.56.13 8.8.4.4 55551 53 105.08210301399231 udp
192.168.56.13 8.8.4.4 55743 53 266.5508348941803 udp
192.168.56.13 8.8.4.4 56086 53 233.9105200767517 udp
192.168.56.13 8.8.4.4 56197 53 102.33182907104492 udp
192.168.56.13 8.8.4.4 56202 53 335.06636786460876 udp
192.168.56.13 8.8.4.4 56770 53 368.91020488739014 udp
192.168.56.13 8.8.4.4 56908 53 294.1759400367737 udp
192.168.56.13 8.8.4.4 57065 53 178.519779920578 udp
192.168.56.13 8.8.4.4 57415 53 26.191004991531372 udp
192.168.56.13 8.8.4.4 58070 53 306.146910905838 udp
192.168.56.13 8.8.4.4 58697 53 10.837308883666992 udp
192.168.56.13 8.8.4.4 58920 53 40.56642389297485 udp
192.168.56.13 8.8.4.4 59610 53 205.15102005004883 udp
192.168.56.13 8.8.4.4 60010 53 9.102118968963623 udp
192.168.56.13 8.8.4.4 60389 53 363.9883370399475 udp
192.168.56.13 8.8.4.4 60543 53 149.55063199996948 udp
192.168.56.13 8.8.4.4 60780 53 219.55052399635315 udp
192.168.56.13 8.8.4.4 60910 53 55.2381649017334 udp
192.168.56.13 8.8.4.4 61004 53 116.69138503074646 udp
192.168.56.13 8.8.4.4 61800 53 252.16017603874207 udp
192.168.56.13 8.8.4.4 61897 53 320.7066149711609 udp
192.168.56.13 8.8.4.4 62422 53 308.53580808639526 udp
192.168.56.13 8.8.4.4 62491 53 378.34787487983704 udp
192.168.56.13 8.8.4.4 62493 53 22.71122097969055 udp
192.168.56.13 8.8.4.4 62849 53 11.78558897972107 udp
192.168.56.13 8.8.4.4 62980 53 336.30043506622314 udp
192.168.56.13 8.8.4.4 64533 53 131.14477491378784 udp
192.168.56.13 8.8.4.4 64700 53 354.5507400035858 udp
192.168.56.13 8.8.4.4 64801 53 69.62886500358582 udp
192.168.56.13 8.8.4.4 64886 53 181.7856810092926 udp
192.168.56.13 8.8.8.8 50554 53 83.05208206176758 udp
192.168.56.13 8.8.8.8 52284 53 382.27008605003357 udp
192.168.56.13 8.8.8.8 53518 53 162.922621011734 udp
192.168.56.13 8.8.8.8 53825 53 348.63060188293457 udp
192.168.56.13 8.8.8.8 53985 53 285.1518530845642 udp
192.168.56.13 8.8.8.8 55551 53 104.08840107917786 udp
192.168.56.13 8.8.8.8 55743 53 265.5513298511505 udp
192.168.56.13 8.8.8.8 56086 53 232.91057085990906 udp
192.168.56.13 8.8.8.8 56197 53 101.33299803733826 udp
192.168.56.13 8.8.8.8 56202 53 334.06651496887207 udp
192.168.56.13 8.8.8.8 56770 53 367.9107880592346 udp
192.168.56.13 8.8.8.8 56908 53 293.18025398254395 udp
192.168.56.13 8.8.8.8 57065 53 177.52060508728027 udp
192.168.56.13 8.8.8.8 57415 53 25.193022966384888 udp
192.168.56.13 8.8.8.8 58070 53 305.1495668888092 udp
192.168.56.13 8.8.8.8 58697 53 11.83212685585022 udp
192.168.56.13 8.8.8.8 58920 53 39.5674889087677 udp
192.168.56.13 8.8.8.8 59610 53 204.1513340473175 udp
192.168.56.13 8.8.8.8 60010 53 10.097378015518188 udp
192.168.56.13 8.8.8.8 60389 53 362.9884469509125 udp
192.168.56.13 8.8.8.8 60543 53 148.56078004837036 udp
192.168.56.13 8.8.8.8 60780 53 218.55164790153503 udp
192.168.56.13 8.8.8.8 60910 53 54.2437698841095 udp
192.168.56.13 8.8.8.8 61004 53 115.69568085670471 udp
192.168.56.13 8.8.8.8 61800 53 251.16124486923218 udp
192.168.56.13 8.8.8.8 61897 53 319.70765590667725 udp
192.168.56.13 8.8.8.8 62422 53 307.5357549190521 udp
192.168.56.13 8.8.8.8 62491 53 377.3482949733734 udp
192.168.56.13 8.8.8.8 62493 53 23.70675301551819 udp
192.168.56.13 8.8.8.8 62849 53 12.784777879714966 udp
192.168.56.13 8.8.8.8 62980 53 335.3015398979187 udp
192.168.56.13 8.8.8.8 64533 53 130.15215301513672 udp
192.168.56.13 8.8.8.8 64700 53 353.551029920578 udp
192.168.56.13 8.8.8.8 64801 53 68.63748908042908 udp
192.168.56.13 8.8.8.8 64886 53 180.800852060318 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top