Managed XDR

5b03b861884cb3e14a8b88...2345fa278d1ea5_new.exe (Lorenz) — malware analysis report

File info

Filename: 5b03b861884cb3e14a8b888c7dee2ee0d494933df863d504882345fa278d1ea5_new.exe
File type: PE32 executable (console) Intel 80386, for MS Windows
File size: 1.1 MB
First seen: 2026-03-10 05:23
Last seen: 2026-03-10 05:23

Environment

w10/x64 en

Hashes

SHA1: 7171653e65ebab359bdb05bd17c2f3a7d71c2e05
SHA256: 5442fb29f806a3531b88d772cdb546f9d20d05e4d57cc5bcdef156e9545b5dc2
MD5: 120e7fcf54ce26dd8fb98d76c1c9ff84

Malwares

Lorenz

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1027.002 packer_entropy: Probably contains compressed or encrypted data

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1082 has_wmi: Executes one or several WMI requests

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.001 antivm_queries_computername: Retrieves the computer name

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1016 get_hostname: Attempts to get hostname

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Other

yara_rules: Static rules

ce_info: Lorenz Configuration Data found

dead_host: Connects to IP addresses that do not respond to requests

process_crashed: One of the processes has failed

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Related reports

Managed XDR