| ID | C0007 |
| Objective(s) | Memory |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 14 August 2020 |
| Last Modified | 30 April 2023 |
Malware allocates memory, often to unpack itself.
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoLocker | 2013 | -- | CryptoLocker allocates RWX memory. [1] |
| Dark Comet | 2008 | -- | Dark Comet allocates RWX memory. [1] |
| DNSChanger | 2011 | -- | DNSChanger allocates RWX memory. [1] |
| Hupigon | 2013 | -- | Hupigon allocates RWX memory. [1] |
| Mebromi | 2011 | -- | Mebromi allocates RWX memory. [1] |
| Redhip | 2011 | -- | Redhip spawns threads to RWX shellcode. [1] |
| Rombertik | 2015 | -- | Rombertik allocates RWX memory. [1] |
| Stuxnet | 2010 | -- | Stuxnet allocates RWX memory. [1] |
| TrickBot | 2016 | -- | TrickBot allocates RWX memory. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| allocate or change RWX memory | Allocate Memory (C0007) | -- |
| allocate memory | Allocate Memory (C0007) | kernel32.VirtualAlloc, kernel32.VirtualAllocEx, kernel32.VirtualAllocExNuma, kernel32.VirtualProtect, kernel32.VirtualProtectEx, NtAllocateVirtualMemory, ZwAllocateVirtualMemory, NtMapViewOfSection, ZwMapViewOfSection, NtProtectVirtualMemory, ZwProtectVirtualMemory |
| allocate or change RW memory | Allocate Memory (C0007) | -- |
| spawn thread to RWX shellcode | Allocate Memory (C0007) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| Unpacker | CAPE_Unpacker | Allocate Memory (C0007) | VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory |
Memory::Allocate Memory
SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6 Location: 0x422BDCpush 0x40 ; Memory protections to apply to pages in allocated memory region (in this case, PAGE_EXECUTE_READWRITE, which allows execute, read-only, or read/write access to the allocated memory) push 0x1000 ; The type of allocation to perform (in this case, MEM_COMMIT which allocates empty virtual memory to begin with and only allocates physical pages when needed). push 0x1000 ; Size of region to allocate in bytes push 0x0 ; Starting address for region where memory should be allocated (not provided in this example) call KERNEL32.DLL::VirtualAlloc ; call function to allocate virtual memory
[1] capa v4.0, analyzed at MITRE on 10/12/2022