Managed XDR

40ff1ab8ac09057421079d...a0d720c5b0f58c_new.exe (Lorenz) — malware analysis report

File info

Filename: 40ff1ab8ac09057421079dae83fb675d7a2a3da6c7d0cd6400a0d720c5b0f58c_new.exe
File type: PE32 executable (console) Intel 80386, for MS Windows
File size: 1.1 MB
First seen: 2026-03-10 05:13
Last seen: 2026-03-10 05:13

Environment

w10/x64 en

Hashes

SHA1: 1bf0d80dbb654fc4c8392083b46084f8f144a7f9
SHA256: 3ee106156ebb26f0dc56000d3dd04edb6b72a8aaebec2c86c67dde96dae6a741
MD5: e4fdb0d99f71b2b776f5e4c166a3ec93

Malwares

Lorenz

Signatures

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1016 get_hostname: Attempts to get hostname

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Impact

T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)

T1486 mass_data_encryption: Encrypts data using the same key (possible ransomware behaviour)

T1485 deletes_files: Removes 100 or more files from C: drive

Other

yara_rules: Static rules

ce_info: Lorenz Configuration Data found

lorenz: Detected Lorenz ransomware

creates_in_windows: Creates files in the Windows directory

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

dead_host: Connects to IP addresses that do not respond to requests

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Related reports

Managed XDR