| ID | C0042 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 4 December 2020 |
| Last Modified | 30 April 2024 |
Malware creates a mutex.
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | Poison Ivy has a default process mutex, but can be altered at build time. [1] |
| Stuxnet | 2010 | -- | Malware creates global mutexes that signal rootkit installation has occurred successfully. [2] |
| Hupigon | 2013 | -- | Hupigon creates a mutex. [3] |
| Kovter | 2016 | -- | Kovter creates a mutex. [3] |
| Redhip | 2011 | -- | Redhip creates a mutex. [3] |
| Rombertik | 2015 | -- | Rombertik creates a mutex. [3] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create mutex | Create Mutex (C0042) | kernel32.CreateMutex, kernel32.CreateMutexEx, System.Threading.Mutex::ctor |
| lock file | Create Mutex (C0042) | fcntl |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| banker_zeus_mutex | Create Mutex (C0042) | -- |
| parallax_mutexes | Create Mutex (C0042) | -- |
| gandcrab_mutexes | Create Mutex (C0042) | -- |
| packer_armadillo_mutex | Create Mutex (C0042) | -- |
| fleercivet_mutex | Create Mutex (C0042) | -- |
| renamer_mutexes | Create Mutex (C0042) | -- |
| revil_mutexes | Create Mutex (C0042) | -- |
| trickbot_mutex | Create Mutex (C0042) | -- |
| rat_fynloski_mutexes | Create Mutex (C0042) | -- |
| rat_beebus_mutexes | Create Mutex (C0042) | -- |
| xpertrat_mutexes | Create Mutex (C0042) | -- |
| nemty_mutexes | Create Mutex (C0042) | -- |
| stop_ransom_mutexes | Create Mutex (C0042) | -- |
| okrum_mutexes | Create Mutex (C0042) | -- |
| pysa_mutexes | Create Mutex (C0042) | -- |
| banker_cridex | Create Mutex (C0042) | -- |
| fonix_mutexes | Create Mutex (C0042) | -- |
| germanwiper_mutexes | Create Mutex (C0042) | -- |
| ratsnif_mutexes | Create Mutex (C0042) | -- |
| crat_mutexes | Create Mutex (C0042) | -- |
| neshta_mutexes | Create Mutex (C0042) | -- |
| banker_spyeye_mutexes | Create Mutex (C0042) | -- |
| powerpool_mutexes | Create Mutex (C0042) | -- |
| geodo_banking_trojan | Create Mutex (C0042) | -- |
| deepfreeze_mutex | Create Mutex (C0042) | -- |
| rat_xtreme_mutexes | Create Mutex (C0042) | -- |
| lokibot_mutexes | Create Mutex (C0042) | -- |
| blackrat_mutexes | Create Mutex (C0042) | -- |
| rat_plugx_mutexes | Create Mutex (C0042) | -- |
| obliquerat_mutexes | Create Mutex (C0042) | -- |
| cypherit_mutexes | Create Mutex (C0042) | -- |
| protonbot_mutexes | Create Mutex (C0042) | -- |
| cryptomix_mutexes | Create Mutex (C0042) | -- |
| phorpiex_mutexes | Create Mutex (C0042) | -- |
| venomrat_mutexes | Create Mutex (C0042) | -- |
| dcrat_mutexes | Create Mutex (C0042) | -- |
| andromut_mutexes | Create Mutex (C0042) | -- |
| azorult_mutexes | Create Mutex (C0042) | -- |
| dharma_mutexes | Create Mutex (C0042) | -- |
| rat_quasar_mutexes | Create Mutex (C0042) | -- |
| bot_russkill | Create Mutex (C0042) | -- |
| snake_ransom_mutexes | Create Mutex (C0042) | -- |
| limerat_mutexes | Create Mutex (C0042) | -- |
| qulab_mutexes | Create Mutex (C0042) | -- |
| allaple_mutexes | Create Mutex (C0042) | -- |
| banker_zeus_p2p | Create Mutex (C0042) | -- |
| carberp_mutex | Create Mutex (C0042) | -- |
| rat_poisonivy_mutexes | Create Mutex (C0042) | -- |
| satan_mutexes | Create Mutex (C0042) | -- |
| medusalocker_mutexes | Create Mutex (C0042) | -- |
| remcos_mutexes | Create Mutex (C0042) | -- |
Process::Create Mutex
SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c Location: 0x402A1Epush eax ; name of mutex push 0x0 ; if the thread that creates the mutex owns it (false, in this case) push 0x0 ; optional security descriptor set to NULL, so default security descriptor will be used call dword ptr [->KERNEL32.DLL::CreateMutexW] ; call function to create mutex
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] capa v4.0, analyzed at MITRE on 10/12/2022