Managed XDR

8ea6a6d4578029c7b2dbbf...471b6101f0de41_new.exe (Lorenz) — malware analysis report

File info

Filename: 8ea6a6d4578029c7b2dbbfb525ec88b2cb309901ec5a987847471b6101f0de41_new.exe
File type: PE32 executable (console) Intel 80386, for MS Windows
File size: 1013.5 KB
First seen: 2026-03-10 05:02
Last seen: 2026-03-10 05:02

Environment

w10/x64 en

Hashes

SHA1: 7b69a36ef960bcda201a58c2df3e3c06582f9817
SHA256: 2ab34b1a698a1c47fc5dde9b28ce18838de28d55dca30393003cae6e19091188
MD5: d1031bbd139dac40b50e99d70eff7e79

Malwares

Lorenz

Signatures

Execution

T1047 antivm_wmi: Uses WMI to detect virtual environment

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1082 has_wmi: Executes one or several WMI requests

T1497.001 antivm_wmi: Uses WMI to detect virtual environment

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)

T1518 locates_browser: Attempts to identify where browsers are installed

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1497.001 antivm_generic_productname: Checks system product name in registry, possibly for anti-virtualization

T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Command and Control

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Impact

T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)

Other

yara_rules: Static rules

ce_info: Lorenz Configuration Data found

dead_host: Connects to IP addresses that do not respond to requests

has_pdb: This executable file has a PDB path

suspicious_network_port: Performs TCP or UDP request to non-standard port

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Related reports

Managed XDR