ID | C0042 |
Objective(s) | Process |
Related ATT&CK Techniques | None |
Version | 2.2 |
Created | 4 December 2020 |
Last Modified | 30 April 2024 |
Malware creates a mutex.
Name | Date | Method | Description |
---|---|---|---|
Poison Ivy | 2005 | -- | Poison Ivy has a default process mutex, but can be altered at build time. [1] |
Stuxnet | 2010 | -- | Malware creates global mutexes that signal rootkit installation has occurred successfully. [2] |
Hupigon | 2013 | -- | Hupigon creates a mutex. [3] |
Kovter | 2016 | -- | Kovter creates a mutex. [3] |
Redhip | 2011 | -- | Redhip creates a mutex. [3] |
Rombertik | 2015 | -- | Rombertik creates a mutex. [3] |
Tool: capa | Mapping | APIs |
---|---|---|
create mutex | Create Mutex (C0042) | kernel32.CreateMutex, kernel32.CreateMutexEx, System.Threading.Mutex::ctor |
lock file | Create Mutex (C0042) | fcntl |
Tool: CAPE | Mapping | APIs |
---|---|---|
banker_zeus_mutex | Create Mutex (C0042) | -- |
parallax_mutexes | Create Mutex (C0042) | -- |
gandcrab_mutexes | Create Mutex (C0042) | -- |
packer_armadillo_mutex | Create Mutex (C0042) | -- |
fleercivet_mutex | Create Mutex (C0042) | -- |
renamer_mutexes | Create Mutex (C0042) | -- |
revil_mutexes | Create Mutex (C0042) | -- |
trickbot_mutex | Create Mutex (C0042) | -- |
rat_fynloski_mutexes | Create Mutex (C0042) | -- |
rat_beebus_mutexes | Create Mutex (C0042) | -- |
xpertrat_mutexes | Create Mutex (C0042) | -- |
nemty_mutexes | Create Mutex (C0042) | -- |
stop_ransom_mutexes | Create Mutex (C0042) | -- |
okrum_mutexes | Create Mutex (C0042) | -- |
pysa_mutexes | Create Mutex (C0042) | -- |
banker_cridex | Create Mutex (C0042) | -- |
fonix_mutexes | Create Mutex (C0042) | -- |
germanwiper_mutexes | Create Mutex (C0042) | -- |
ratsnif_mutexes | Create Mutex (C0042) | -- |
crat_mutexes | Create Mutex (C0042) | -- |
neshta_mutexes | Create Mutex (C0042) | -- |
banker_spyeye_mutexes | Create Mutex (C0042) | -- |
powerpool_mutexes | Create Mutex (C0042) | -- |
geodo_banking_trojan | Create Mutex (C0042) | -- |
deepfreeze_mutex | Create Mutex (C0042) | -- |
rat_xtreme_mutexes | Create Mutex (C0042) | -- |
lokibot_mutexes | Create Mutex (C0042) | -- |
blackrat_mutexes | Create Mutex (C0042) | -- |
rat_plugx_mutexes | Create Mutex (C0042) | -- |
obliquerat_mutexes | Create Mutex (C0042) | -- |
cypherit_mutexes | Create Mutex (C0042) | -- |
protonbot_mutexes | Create Mutex (C0042) | -- |
cryptomix_mutexes | Create Mutex (C0042) | -- |
phorpiex_mutexes | Create Mutex (C0042) | -- |
venomrat_mutexes | Create Mutex (C0042) | -- |
dcrat_mutexes | Create Mutex (C0042) | -- |
andromut_mutexes | Create Mutex (C0042) | -- |
azorult_mutexes | Create Mutex (C0042) | -- |
dharma_mutexes | Create Mutex (C0042) | -- |
rat_quasar_mutexes | Create Mutex (C0042) | -- |
bot_russkill | Create Mutex (C0042) | -- |
snake_ransom_mutexes | Create Mutex (C0042) | -- |
limerat_mutexes | Create Mutex (C0042) | -- |
qulab_mutexes | Create Mutex (C0042) | -- |
allaple_mutexes | Create Mutex (C0042) | -- |
banker_zeus_p2p | Create Mutex (C0042) | -- |
carberp_mutex | Create Mutex (C0042) | -- |
rat_poisonivy_mutexes | Create Mutex (C0042) | -- |
satan_mutexes | Create Mutex (C0042) | -- |
medusalocker_mutexes | Create Mutex (C0042) | -- |
remcos_mutexes | Create Mutex (C0042) | -- |
Process::Create Mutex
SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c Location: 0x402A1Epush eax ; name of mutex push 0x0 ; if the thread that creates the mutex owns it (false, in this case) push 0x0 ; optional security descriptor set to NULL, so default security descriptor will be used call dword ptr [->KERNEL32.DLL::CreateMutexW] ; call function to create mutex
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] capa v4.0, analyzed at MITRE on 10/12/2022