Managed XDR

7275034886da11ca6d8285...d237aa686455dd_new.exe (Lorenz) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла
7275034886da11ca6d828547f15cab259e22ba624c5f5762afd237aa686455dd_new.exe
Тип файла
PE32 executable (console) Intel 80386, for MS Windows
Размер файла
1 MB
Первое обнаружение
Последнее обнаружение

Окружение

w10/x64 en

Хеши

SHA1
cf377564e4c674ac13e1e2a44ac95e91b0b5b9b7
SHA256
56a907cefa05e8fefe4d84316366ae0c1ed0d3f439a79ea69e4e1804a760b10f
MD5
8df2bc331a575e50273af7fe497c2c71

Вредоносное ПО

  • Lorenz

Сигнатуры

Execution

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

Persistence

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup

Privilege Escalation

T1053.005 creates_tasks: Creates a delayed task using Task Scheduler
T1053.005 persistence_autorun: Makes itself run automatically on Windows startup
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1027.002 packer_entropy: Probably contains compressed or encrypted data
T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey
T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges
T1134 opens_thread_token: Opens the access token associated with a thread
T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1555.004 windows_credential_manager: Acquire credentials from the Windows Credential Manager

Discovery

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers
T1497.001 antivm_queries_computername: Retrieves the computer name
T1497.002 antivm_usbstor: Reads information about usbdevices from regkey

Impact

T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

Other

yara_rules: Static rules
ce_info: Lorenz Configuration Data found
lorenz: Detected Lorenz ransomware
ransomware_shadowcopy: Removes volume shadow copies
network_bind: Starts servers listening at None
dead_host: Connects to IP addresses that do not respond to requests
process_crashed: One of the processes has failed
has_pdb: This executable file has a PDB path
creates_suspended_process: Creates suspended process
suspicious_network_port: Performs TCP or UDP request to non-standard port
test_check_service: Starts services
writes_data: Writes big amount of data to disk

Похожие отчёты

Managed XDR