Managed XDR

5b03b861884cb3e14a8b88...2345fa278d1ea5_new.exe (Lorenz) — malware analysis report

File info

Filename: 5b03b861884cb3e14a8b888c7dee2ee0d494933df863d504882345fa278d1ea5_new.exe
File type: PE32 executable (console) Intel 80386, for MS Windows
File size: 1.1 MB
First seen: 2026-03-10 05:11
Last seen: 2026-03-10 05:11

Environment

w10/x64 en

Hashes

SHA1: 951183cd7fefd15a92a557e7088dab6002f12536
SHA256: 25e039c4d445d174edd1b9de36b8e7196c0bc71cbf9b50c4543b18b7391e7d1b
MD5: f81f7aa27bde4101441ac4f69aa6d1cc

Malwares

Lorenz

Signatures

Execution

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1016 get_hostname: Attempts to get hostname

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Impact

T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)

T1486 mass_data_encryption: Encrypts data using the same key (possible ransomware behaviour)

T1485 deletes_files: Removes 100 or more files from C: drive

Other

yara_rules: Static rules

ce_info: Lorenz Configuration Data found

lorenz: Detected Lorenz ransomware

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

dead_host: Connects to IP addresses that do not respond to requests

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Related reports

Managed XDR