If I understand correctly, the code does not encrypt itself, it encrypts the malware payload. As to the details of how it executes, I suspect that depends on the vulnerability the malware loader is trying to exploit.

I'll pass your questions along to the researchers. Hopefully they will have the time to answer.