ID	C0041
Objective(s)	Process
Related ATT&CK Techniques	None
Version	2.1
Created	4 December 2020
Last Modified	30 April 2024

Set Thread Local Storage Value

Malware allocates thread local storage.

Use in Malware

Name	Date	Method	Description
Dark Comet	2008	--	Dark Comet sets thread local storage values. [1]
Gamut	2014	--	Gamut sets thread local storage values. [1]
Hupigon	2013	--	Hupigon sets thread local storage values. [1]
Kovter	2016	--	Kovter sets thread local storage values. [1]
Redhip	2011	--	Redhip sets thread local storage values. [1]
Rombertik	2015	--	Rombertik sets thread local storage values. [1]

Detection

Tool: capa	Mapping	APIs
set thread local storage value	Set Thread Local Storage Value (C0041)	kernel32.TlsSetValue

C0041 Snippet

Process::Set Thread Local Storage Value

SHA256: 3ac8c22eb7c59d35fe49c20f2a0eca06765543dfb15f455a5557af4428066641 Location: 0x180005B08

mov     param_2, rbx    ; Value to be stored in TLS index
mov     param_1, edi    ; TLS index
call    qword ptr [->KERNEL32.DLL::TlsSetValue] ; Call Windows API function to store value in thread's thread local storage (TLS) at the specified index

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

set-thread-local-storage-value.md

set-thread-local-storage-value.md

Set Thread Local Storage Value

Use in Malware

Detection

C0041 Snippet

References

Files

set-thread-local-storage-value.md

Latest commit

History

set-thread-local-storage-value.md

File metadata and controls

Set Thread Local Storage Value

Use in Malware

Detection

C0041 Snippet

References