| ID |
C0038 |
| Objective(s) |
Process |
| Related ATT&CK Techniques |
None |
| Version |
2.3 |
| Created |
14 August 2020 |
| Last Modified |
30 April 2024 |
Malware creates a thread.
| Tool: capa |
Mapping |
APIs |
| create thread |
Create Thread (C0038) |
kernel32.CreateThread, _beginthread, _beginthreadex, PsCreateSystemThread, SHCreateThread, SHCreateThreadWithHandle, kernel32.CreateRemoteThread, kernel32.CreateRemoteThreadEx, RtlCreateUserThread, ntdll.NtCreateThread, ntdll.NtCreateThreadEx, ntdll.ZwCreateThread, ntdll.ZwCreateThreadEx, pthread_create, System.Threading.Thread::Start, System.Threading.Thread::ctor |
| spawn thread to RWX shellcode |
Create Thread (C0038) |
-- |
Process::Create Thread
SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db
Location: 0x404915
mov param_2, dword ptr [ebp + param_4]
push param_2 ; Pointer to location where thread handler will be returned
mov param_2, dword ptr [ebp + param_5]
push param_2 ; Flags controlling thread creation
push param_1 ; Pointer to variable to be passed to thread
mov param_1, FUN_004048b8
push param_1 ; Pointer to function where thread will begin execution
push esi ; Size of stack for new thread
push ebx ; Pointer to security attributes for thread. If null, the handle to the thread cannot be inherited
call KERNEL32.DLL::CreateThread ; Call to thread creation API
[1] capa v4.0, analyzed at MITRE on 10/12/2022