Managed XDR

vtdl_1757075516_t96vc0u4 (AvosLocker, Avos) — malware analysis report

File info

Filename: vtdl_1757075516_t96vc0u4
File type: PE32+ executable (console) x86-64, for MS Windows
File size: 1.2 MB
First seen: 2025-09-05 12:45
Last seen: 2025-09-05 12:45

Environment

win7/x64 en

Hashes

SHA1: 7ab79f277158c52b16bd4e2a274be6b2bc6713de
SHA256: eb018a10be1cf5e5ad3c36d286bd9ebf3ba333bd27dc9c6732234ad95c290fb2
MD5: a7a5c5ef8ee8f321280a499aa339be61

Malwares

AvosLocker
Avos

Signatures

Execution

T1059.001 suspicious_powershell: Creates suspicious powershell process

T1047 has_wmi: Executes one or several WMI requests

T1059.001 suspicious_process: Spawns a suspicious process

Privilege Escalation

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Defense Evasion

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

T1070 stealth_window: A process created a hidden window

T1134 sets_privilegies_via_adjusttokenprivileges: Sets process privilege via AdjustTokenPrivileges

T1134 opens_thread_token: Opens the access token associated with a thread

T1134 opens_process_token: Opens the access token associated with a process

Credential Access

T1552.001 infostealer_bitcoin: Attempts to obtain access to Bitcoin/ALTCoin wallets

T1555.003 cookie_files: Accesses cookie files

T1552 cookie_files: Accesses cookie files

Discovery

T1083 crawls_directories: Opens a huge number of directories all over disk C: (possibly, searches for sensitive data)

T1518 locates_browser: Attempts to identify where browsers are installed

T1497 evasion_diskenum: Sandbox evasion using enumeration of partitions

Collection

T1074.001 access_recyclebin: Manipulation with recyclebin detected

Impact

T1486 modifies_files2: Cryptolocker indicators detected (500 or more files are modified)

T1486 modifies_files: Cryptolocker indicators detected (renamed 500 or more files)

T1490 vssadmin_delete_shadows: Attempt to delete volume shadow copies

T1486 ransomware_message: Ransomware indicators detected (possible ransom message creation)

T1486 ransomware_extensions: Ransomware(s) AvosLocker indicators detected (specific extension is added to files)

T1486 ransomware_files_2: Ransomware(s) AvosLocker indicators detected (creates keys and the instruction on how to unlock the files)

T1486 mass_data_encryption: Encrypts data using the same key (possible ransomware behaviour)

Other

yara_rules: Static rules

ransomware_avos: Detected Avos ransomware

ransomware_shadowcopy: Removes volume shadow copies

ransomware_bcdedit: Runs bcdedit commands specific to ransomware

creates_exe: Creates executable files in the file system

executes_dropped_exe: Executes dropped exe files

break_limit_exceeded: Warning: function calls limit has been exceeded

get_policy_info: Retrieves information about a Policy object

test_check_service: Starts services

writes_data: Writes big amount of data to disk

Related reports

Managed XDR