Classe: Trojan-Ransom
Esse tipo de cavalo de Tróia modifica os dados no computador da vítima para que a vítima não possa mais usar os dados ou impede que o computador seja executado corretamente. Depois que os dados forem "tomados como reféns" (bloqueados ou criptografados), o usuário receberá uma demanda de resgate. A demanda de resgate diz à vítima para enviar o dinheiro do usuário malicioso; Após recebê-lo, o criminoso virtual enviará um programa à vítima para restaurar os dados ou restaurar o desempenho do computador.Plataforma: Win32
O Win32 é uma API em sistemas operacionais baseados no Windows NT (Windows XP, Windows 7, etc.) que oferece suporte à execução de aplicativos de 32 bits. Uma das plataformas de programação mais difundidas do mundo.Família: Trojan-Ransom.Win32.Gen
No family descriptionExamples
57574D5369AE022C48177BB806EFF123Tactics and Techniques: Mitre*
TA0002
Execution
The adversary is trying to run malicious code. Execution consists of techniques that result in adversary-controlled code running on a local or remote system. Techniques that run malicious code are often paired with techniques from all other tactics to achieve broader goals, like exploring a network or stealing data. For example, an adversary might use a remote access tool to run a PowerShell script that does Remote System Discovery.
T1059.001
PowerShell
Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the
Start-Process cmdlet which can be used to run an executable and the Invoke-Command cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems). TA0005
Defense Evasion
The adversary is trying to avoid being detected. Defense Evasion consists of techniques that adversaries use to avoid detection throughout their compromise. Techniques used for defense evasion include uninstalling/disabling security software or obfuscating/encrypting data and scripts. Adversaries also leverage and abuse trusted processes to hide and masquerade their malware. Other tactics' techniques are cross-listed here when those techniques include the added benefit of subverting defenses.
T1036.003
Rename Legitimate Utilities
Adversaries may rename legitimate / system utilities to try to evade security mechanisms concerning the usage of those utilities. Security monitoring and control mechanisms may be in place for legitimate utilities adversaries are capable of abusing, including both built-in binaries and tools such as PSExec, AutoHotKey, and IronPython. It may be possible to bypass those security mechanisms by renaming the utility prior to utilization (ex: rename
rundll32.exe). An alternative case occurs when a legitimate utility is copied or moved to a different directory and renamed to avoid detections based on these utilities executing from non-standard paths. T1112
Modify Registry
Adversaries may interact with the Windows Registry as part of a variety of other techniques to aid in defense evasion, persistence, and execution.
TA0008
Lateral Movement
The adversary is trying to move through your environment. Lateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier.
T1021.001
Remote Desktop Protocol
Adversaries may use Valid Accounts to log into a computer using the Remote Desktop Protocol (RDP). The adversary may then perform actions as the logged-on user.
* © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.