Kaspersky Threats — Trojan-Ransom.Win32.Gen.axzl

Class: Trojan-Ransom

This type of Trojan modifies data on the victim computer so that the victim can no longer use the data, or it prevents the computer from running correctly. Once the data has been “taken hostage” (blocked or encrypted), the user will receive a ransom demand. The ransom demand tells the victim to send the malicious user money; on receipt of this, the cyber criminal will send a program to the victim to restore the data or restore the computer’s performance.

Read more

Platform: Win32

Win32 is an API on Windows NT-based operating systems (Windows XP, Windows 7, etc.) that supports execution of 32-bit applications. One of the most widespread programming platforms in the world.

Family: Trojan-Ransom.Win32.Gen.axzl

No family description

Examples

E456F28515912A627D842151B3C66D0C
C60BBDE2C542E2BB8AD4D5857A221A88
89B641A6095C9E6291DE2E95AE66B298
E1BC757CC37E6A624C87371D1CE5A8C9
B5EC9B047E71F6C7C54FDCE75C42105D

Tactics and Techniques: Mitre*

TA0005

Defense Evasion

Adversaries may inject malicious code into suspended and hollowed processes in order to evade process-based defenses. Process hollowing is a method of executing arbitrary code in the address space of a separate live process.

T1055.012

Process Hollowing

T1564.001

Hidden Files and Directories

Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches (dir /a for Windows and ls –a for Linux and macOS).