Managed XDR

5b03b861884cb3e14a8b88...2345fa278d1ea5_new.exe (Lorenz) — отчёт о динамическом анализе вредоносного файла

Информация о файле

Имя файла: 5b03b861884cb3e14a8b888c7dee2ee0d494933df863d504882345fa278d1ea5_new.exe
Тип файла: PE32 executable (console) Intel 80386, for MS Windows
Размер файла: 1.1 MB
Первое обнаружение: 2026-03-10 05:18
Последнее обнаружение: 2026-03-10 05:18

Окружение

w10/x64 en

Хеши

SHA1: d487e806bdbb14d00c7de336f05915fdeb7b7e82
SHA256: 39d4a5c5d1f89386050657a6d4875d02c06dfc564543f01ee41ff5f0907de045
MD5: 7c4e65bc8a85db4accfc7fc75c326310

Вредоносное ПО

Lorenz

Сигнатуры

Execution

T1047 has_wmi: Executes one or several WMI requests

Privilege Escalation

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

T1027.002 packer_entropy: Probably contains compressed or encrypted data

Discovery

T1033 recon_beacon: The process has sent information about the computer over the network

T1082 uses_windows_utilities: Uses Windows utilities for basic Windows functionality

T1497.003 antisandbox_sleep: The process attempted to slow down analysis

T1497 evasion_printers: Attempts to detect Sandbox by exploring existing printers

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1016 get_hostname: Attempts to get hostname

Command and Control

T1071.001 recon_beacon: The process has sent information about the computer over the network

T1071.001 wininet_https: Performs HTTP/HTTPS requests using WinInet

Exfiltration

T1022 encrypts_pc_info: Collects and encrypts information about the computer (possibly for exfiltration)

Impact

T1486 modifies_files: Cryptolocker indicators detected (renamed 100 or more files)

T1486 mass_data_encryption: Encrypts data using the same key (possible ransomware behaviour)

T1485 deletes_files: Removes 100 or more files from C: drive

Other

yara_rules: Static rules

ce_info: Lorenz Configuration Data found

lorenz: Detected Lorenz ransomware

cryptolocker_wallpaper: Ransomware indicators detected (changes the desktop wallpaper file)

dead_host: Connects to IP addresses that do not respond to requests

no_graphical_activity: No graphic activity

has_pdb: This executable file has a PDB path

creates_suspended_process: Creates suspended process

break_limit_exceeded: Warning: function calls limit has been exceeded

test_check_service: Starts services

writes_data: Writes big amount of data to disk