WannaCryptor Executable Exhibiting Classic Worm Propagation And Encryption


Zero‑Dwell Threat Intelligence Report

A narrative, executive‑ready view into the malware’s behavior, exposure, and reliable defenses.
Generated: 2025-12-04 08:32:21 UTC

Executive Overview — What We’re Dealing With

This specimen has persisted long enough to matter. Human experts classified it as Malware, and the telemetry confirms a capable, evasive Trojan with real impact potential.

File
cwfo6xajm.exe
Type
Win32 Executable MS Visual C++ (generic)
SHA‑1
d9a781d851fe5b195390dc75573427d6d83efc65
MD5
8ada703b743fd10825e23c497484d3f6
First Seen
2025-12-01 14:10:02.853248
Last Analysis
2025-12-01 21:28:47.675445
Dwell Time
0 days, 7 hours, 33 minutes

Extended Dwell Time Impact

For 7+ hours, this malware remained undetected — a several-hour window that allowed the adversary to complete initial compromise and begin early-stage persistence establishment.

Comparative Context

Industry studies report a median dwell time closer to 21–24 days. This case represents rapid detection and containment within hours rather than days.

Timeline

Time (UTC) Event Elapsed
2025-11-13 05:46:23 UTC First VirusTotal submission
2025-12-03 21:12:22 UTC Latest analysis snapshot 20 days, 15 hours, 25 minutes
2025-12-04 08:32:21 UTC Report generation time 21 days, 2 hours, 45 minutes

Why It Matters

Every additional day of dwell time is not just an abstract number — it is attacker opportunity. Each day equates to more time for lateral movement, stealth persistence, and intelligence gathering.

Global Detection Posture — Who Caught It, Who Missed It

VirusTotal engines: 72. Detected as malicious: 67. Missed: 5. Coverage: 93.1%.

Detected Vendors

  • Xcitium
  • +66 additional vendors (names not provided)

List includes Xcitium plus an additional 66 vendors per the provided summary.

Missed Vendors

  • CMC
  • Google
  • MaxSecure
  • SUPERAntiSpyware
  • TACHYON

Why it matters: if any endpoint relies solely on a missed engine, this malware can operate with zero alerts. Prevention‑first controls close that gap regardless of signature lag.

MITRE ATT&CK Mapping

  • T1543.003 – start service
  • T1129 – link function at runtime on Windows
  • T1129 – parse PE header
  • T1083 – check if file exists
  • T1027 – reference AES constants
  • T1027 – encode data using XOR
  • T1027 – encrypt data using RC4 KSA
  • T1012 – query or enumerate registry value
  • T1129 – link many functions at runtime
  • T1222 – set file attributes
  • T1543.003 – persist via Windows service
  • T1569.002 – persist via Windows service
  • T1082 – get hostname
  • T1543.003 – create service
  • T1569.002 – create service
  • T1083 – get common file path
  • T1027 – encrypt data using AES
  • T1083 – get file size

Following the Trail — Network & DNS Activity

Outbound activity leans on reputable infrastructure (e.g., CDNs, cloud endpoints) to blend in. TLS sessions and
HTTP calls show routine beaconing and IP‑lookup behavior that can masquerade as normal browsing.

Contacted Domains

Domain IP Country ASN/Org
www.msftncsi.com 23.200.3.31 United States Akamai Technologies, Inc.
www.aieov.com 13.248.169.48 United States Amazon Technologies Inc.

Observed IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
95.130.12.119 France Not known
194.109.206.212 Netherlands XS4ALL Internet BV
188.165.194.195 France OVH SAS
Dedicated Servers
http://www.ovh.com
185.96.180.29 Denmark Bornfiber Service Provider Aps, Network and Customers
185.13.38.75 France Not known
171.25.193.9 Sweden DFRI
163.172.194.53 France Scaleway Dedibox – Paris, France
163.172.138.22 France Scaleway Dedibox – Paris, France
149.56.45.200 Canada OVH Hosting, Inc.
148.251.190.229 Germany Hetzner Online GmbH
Datacenter fsn1-dc12
131.188.40.189 Germany REVUE
128.31.0.39 United States Massachusetts Institute of Technology

DNS Queries

Request Type
5isohu.com A
www.msftncsi.com A
www.aieov.com A

Contacted IPs

IP Country ASN/Org
224.0.0.252
239.255.255.250
8.8.4.4 United States Google LLC
8.8.8.8 United States Google LLC
95.130.12.119 France Not known
194.109.206.212 Netherlands XS4ALL Internet BV
188.165.194.195 France OVH SAS
Dedicated Servers
http://www.ovh.com
185.96.180.29 Denmark Bornfiber Service Provider Aps, Network and Customers
185.13.38.75 France Not known
171.25.193.9 Sweden DFRI
163.172.194.53 France Scaleway Dedibox – Paris, France
163.172.138.22 France Scaleway Dedibox – Paris, France
149.56.45.200 Canada OVH Hosting, Inc.
148.251.190.229 Germany Hetzner Online GmbH
Datacenter fsn1-dc12
131.188.40.189 Germany REVUE
128.31.0.39 United States Massachusetts Institute of Technology

Port Distribution

Port Count Protocols
137 1 udp
138 1 udp
5355 5 udp
53 50 udp
3702 1 udp

UDP Packets

Source IP Dest IP Sport Dport Time Proto
192.168.56.13 192.168.56.255 137 137 3.275491952896118 udp
192.168.56.13 192.168.56.255 138 138 9.32619309425354 udp
192.168.56.13 224.0.0.252 49311 5355 5.760456085205078 udp
192.168.56.13 224.0.0.252 55150 5355 3.1915090084075928 udp
192.168.56.13 224.0.0.252 60010 5355 5.185259103775024 udp
192.168.56.13 224.0.0.252 62406 5355 3.1988489627838135 udp
192.168.56.13 224.0.0.252 63527 5355 4.3856799602508545 udp
192.168.56.13 239.255.255.250 52252 3702 3.2235169410705566 udp
192.168.56.13 8.8.4.4 50554 53 145.21259093284607 udp
192.168.56.13 8.8.4.4 53518 53 239.1659710407257 udp
192.168.56.13 8.8.4.4 53985 53 358.7909960746765 udp
192.168.56.13 8.8.4.4 54879 53 7.744270086288452 udp
192.168.56.13 8.8.4.4 54881 53 6.971204996109009 udp
192.168.56.13 8.8.4.4 55551 53 173.94685411453247 udp
192.168.56.13 8.8.4.4 55743 53 344.4313521385193 udp
192.168.56.13 8.8.4.4 56086 53 314.85366702079773 udp
192.168.56.13 8.8.4.4 56197 53 159.57235503196716 udp
192.168.56.13 8.8.4.4 57065 53 253.5252730846405 udp
192.168.56.13 8.8.4.4 57310 53 65.63533401489258 udp
192.168.56.13 8.8.4.4 57415 53 79.99859809875488 udp
192.168.56.13 8.8.4.4 58697 53 22.337584018707275 udp
192.168.56.13 8.8.4.4 58920 53 98.24417996406555 udp
192.168.56.13 8.8.4.4 59610 53 286.13458609580994 udp
192.168.56.13 8.8.4.4 60543 53 220.91625595092773 udp
192.168.56.13 8.8.4.4 60780 53 300.49468898773193 udp
192.168.56.13 8.8.4.4 60910 53 112.60357713699341 udp
192.168.56.13 8.8.4.4 61004 53 192.19730710983276 udp
192.168.56.13 8.8.4.4 61800 53 330.0722279548645 udp
192.168.56.13 8.8.4.4 62493 53 51.2751100063324 udp
192.168.56.13 8.8.4.4 62849 53 36.697197914123535 udp
192.168.56.13 8.8.4.4 64533 53 206.55650305747986 udp
192.168.56.13 8.8.4.4 64801 53 126.96274709701538 udp
192.168.56.13 8.8.4.4 64886 53 267.88500213623047 udp
192.168.56.13 8.8.8.8 50554 53 144.22246408462524 udp
192.168.56.13 8.8.8.8 53518 53 238.16634392738342 udp
192.168.56.13 8.8.8.8 53985 53 357.791335105896 udp
192.168.56.13 8.8.8.8 54879 53 8.744488000869751 udp
192.168.56.13 8.8.8.8 54881 53 7.9660561084747314 udp
192.168.56.13 8.8.8.8 55551 53 172.96184611320496 udp
192.168.56.13 8.8.8.8 55743 53 343.4325740337372 udp
192.168.56.13 8.8.8.8 56086 53 313.8537359237671 udp
192.168.56.13 8.8.8.8 56197 53 158.57500290870667 udp
192.168.56.13 8.8.8.8 57065 53 252.52595806121826 udp
192.168.56.13 8.8.8.8 57310 53 64.63496494293213 udp
192.168.56.13 8.8.8.8 57415 53 78.99475312232971 udp
192.168.56.13 8.8.8.8 58697 53 21.338369131088257 udp
192.168.56.13 8.8.8.8 58920 53 97.2446711063385 udp
192.168.56.13 8.8.8.8 59610 53 285.1350529193878 udp
192.168.56.13 8.8.8.8 60543 53 219.91604709625244 udp
192.168.56.13 8.8.8.8 60780 53 299.4946300983429 udp
192.168.56.13 8.8.8.8 60910 53 111.60416102409363 udp
192.168.56.13 8.8.8.8 61004 53 191.1986870765686 udp
192.168.56.13 8.8.8.8 61800 53 329.08692502975464 udp
192.168.56.13 8.8.8.8 62493 53 50.27581596374512 udp
192.168.56.13 8.8.8.8 62849 53 35.69819211959839 udp
192.168.56.13 8.8.8.8 64533 53 205.55683398246765 udp
192.168.56.13 8.8.8.8 64801 53 125.96418499946594 udp
192.168.56.13 8.8.8.8 64886 53 266.88514494895935 udp

Hunting tip: alert on unknown binaries initiating TLS to IP‑lookup services or unusual CDN endpoints — especially early in execution.

Persistence & Policy — Registry and Services

Registry and service telemetry points to policy awareness and environment reconnaissance rather than noisy persistence. Below is a compact view of the most relevant keys and handles; expand to see the full lists where available.

Registry Opened

3

Registry Set

1

Services Started

0

Services Opened

0

Registry Opened (Top 25)

Key
HKEY_LOCAL_MACHINE\SOFTWARE\WanaCrypt0r
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings
HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host
Show all (3 total)

Registry Set (Top 25)

Key Value
HKEY_LOCAL_MACHINE\SOFTWARE\WanaCrypt0r\wd c:\analyse

Services Started (Top 15)

Services Opened (Top 15)

What To Do Now — Practical Defense Playbook

  • Contain unknowns: block first‑run binaries by default — signatures catch up, containment works now.
  • EDR controls: alert on keyboard hooks, screen capture APIs, VM/sandbox checks, and command‑shell launches.
  • Registry watch: flag queries/sets under policy paths (e.g., …\FipsAlgorithmPolicy\*).
  • Network rules: inspect outbound TLS to IP‑lookup services and unexpected CDN endpoints.
  • Hunt broadly: sweep endpoints for the indicators above and quarantine positives immediately.

Dwell time equals attacker opportunity. Reducing execution privileges and egress shrinks that window even when vendors disagree.

Scroll to Top