Managed XDR

depthfolderlock.exe (Ramnit) — malware analysis report

File info

Filename
depthfolderlock.exe
File type
PE32 executable (GUI) Intel 80386, for MS Windows
File size
1.1 MB
First seen
Last seen

Environment

win7/x86 en

Hashes

SHA1
f0bbe4b8c42c6180ee6586b750be5f2c84dcce70
SHA256
a88c5d3e545ffbdfe276fd7cab4e7fd62e2a78de74a58bbcae53c6a8417b5a2d
MD5
e23df0463ebb86b899e2a3fd93585ec7

Malwares

  • Ramnit

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1027.002 pe_features: Executable file has PE anomalies (may be false positive)
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process
T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Discovery

T1082 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1497.001 antivm_generic_disk: Checks information on disk, possibly for anti-virtualization or checking privileges
T1497.003 antisandbox_sleep: The process attempted to slow down analysis

Other

yara_rules: Static rules
protector_asprotect: Executable file is protected with ASProtect
checktokenmembership: Checks user token with CheckTokenMembership call

Related reports