| ID | C0042 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 4 December 2020 |
| Last Modified | 16 September 2024 |
Malware creates a mutex. Mutexes may be created for synchronization purposes (two or more processes/threads to share a resource).
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | Poison Ivy has a default process mutex, but can be altered at build time. [1] |
| Stuxnet | 2010 | -- | Malware creates global mutexes that signal rootkit installation has occurred successfully. [2] |
| Hupigon | 2013 | -- | Hupigon creates a mutex. [3] |
| Kovter | 2016 | -- | Kovter creates a mutex. [3] |
| Redhip | 2011 | -- | Redhip creates a mutex. [3] |
| Rombertik | 2015 | -- | Rombertik creates a mutex. [3] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create mutex | Create Mutex (C0042) | kernel32.CreateMutex, kernel32.CreateMutexEx, System.Threading.Mutex::ctor |
| lock file | Create Mutex (C0042) | fcntl |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| allaple_mutexes | AllapleMutexes | Create Mutex (C0042) | -- |
| andromut_mutexes | AndromutMutexes | Create Mutex (C0042) | -- |
| asyncrat_mutex_raccoon | RaccoonInfoStealerMutex | Create Mutex (C0042) | -- |
| asyncrat_mutex | AsyncRatMutex | Create Mutex (C0042) | -- |
| azorult_mutexes | AzorultMutexes | Create Mutex (C0042) | -- |
| banker_cridex | Cridex | Create Mutex (C0042) | -- |
| banker_spyeye_mutexes | SpyEyeMutexes | Create Mutex (C0042) | -- |
| banker_zeus_mutex | ZeusMutexes | Create Mutex (C0042) | -- |
| banker_zeus_p2p | ZeusP2P | Create Mutex (C0042) | -- |
| blackrat_mutexes | BlackRATMutexes | Create Mutex (C0042) | -- |
| bot_russkill | Ruskill | Create Mutex (C0042) | -- |
| carberp_mutex | CarberpMutexes | Create Mutex (C0042) | -- |
| crat_mutexes | CRATMutexes | Create Mutex (C0042) | -- |
| cryptomix_mutexes | CryptoMixMutexes | Create Mutex (C0042) | -- |
| cypherit_mutex | CypherITMutexes | Create Mutex (C0042) | -- |
| dcrat_mutexes | DCRatMutex | Create Mutex (C0042) | -- |
| deepfreeze_mutex | DeepFreezeMutex | Create Mutex (C0042) | -- |
| dharma_mutexes | DharmaMutexes | Create Mutex (C0042) | -- |
| fleercivet_mutex | FleerCivetMutexes | Create Mutex (C0042) | -- |
| fonix_mutexes | FonixMutexes | Create Mutex (C0042) | -- |
| gandcrab_mutexes | GandCrabMutexes | Create Mutex (C0042) | -- |
| geodo_banking_trojan | Geodo | Create Mutex (C0042) | -- |
| germanwiper_mutexes | GermanWiperMutexes | Create Mutex (C0042) | -- |
| limerat_mutexes | LimeRATMutexes | Create Mutex (C0042) | -- |
| lokibot_mutexes | LokibotMutexes | Create Mutex (C0042) | -- |
| medusalocker_mutexes | MedusaLockerMutexes | Create Mutex (C0042) | -- |
| nemty_mutexes | NemtyMutexes | Create Mutex (C0042) | -- |
| neshta_mutexes | NeshtaMutexes | Create Mutex (C0042) | -- |
| obliquerat_mutexes | ObliquekRATMutexes | Create Mutex (C0042) | -- |
| okrum_mutexes | OkrumMutexes | Create Mutex (C0042) | -- |
| packer_armadillo_mutex | ArmadilloMutex | Create Mutex (C0042) | -- |
| parallax_mutexes | ParallaxMutexes | Create Mutex (C0042) | -- |
| phorpiex_mutexes | PhorpiexMutexes | Create Mutex (C0042) | -- |
| powerpool_mutexes | PowerpoolMutexes | Create Mutex (C0042) | -- |
| protonbot_mutexes | ProtonBotMutexes | Create Mutex (C0042) | -- |
| pysa_mutexes | PYSAMutexes | Create Mutex (C0042) | -- |
| qulab_mutexes | QulabMutexes | Create Mutex (C0042) | -- |
| ransomware_radamant | RansomwareRadamant | Create Mutex (C0042) | -- |
| rat_beebus_mutexes | BeebusMutexes | Create Mutex (C0042) | -- |
| rat_fynloski_mutexes | FynloskiMutexes | Create Mutex (C0042) | -- |
| rat_luminosity | LuminosityRAT | Create Mutex (C0042) | CryptHashData, NtCreateMutant |
| rat_nanocore | NanocoreRAT | Create Mutex (C0042) | -- |
| rat_pcclient | PcClientMutexes | Create Mutex (C0042) | -- |
| rat_plugx_mutexes | PlugxMutexes | Create Mutex (C0042) | -- |
| rat_poisonivy_mutexes | PoisonIvyMutexes | Create Mutex (C0042) | -- |
| rat_quasar_mutexes | QuasarMutexes | Create Mutex (C0042) | -- |
| rat_spynet | SpynetRat | Create Mutex (C0042) | -- |
| rat_xtreme_mutexes | XtremeMutexes | Create Mutex (C0042) | -- |
| ratsnif_mutexes | RatsnifMutexes | Create Mutex (C0042) | -- |
| remcos_mutexes | RemcosMutexes | Create Mutex (C0042) | -- |
| renamer_mutexes | RenamerMutexes | Create Mutex (C0042) | -- |
| revil_mutexes | RevilMutexes | Create Mutex (C0042) | -- |
| satan_mutexes | SatanMutexes | Create Mutex (C0042) | -- |
| snake_ransom_mutexes | SnakeRansomMutexes | Create Mutex (C0042) | -- |
| stop_ransom_mutexes | StopRansomMutexes | Create Mutex (C0042) | -- |
| targeted_flame | Flame | Create Mutex (C0042) | -- |
| trickbot_mutex | TrickBotMutexes | Create Mutex (C0042) | -- |
| ursnif_behavior | UrsnifBehavior | Create Mutex (C0042) | -- |
| venomrat_mutexes | VenomRAT | Create Mutex (C0042) | -- |
| xpertrat_mutexes | XpertRATMutexes | Create Mutex (C0042) | -- |
Process::Create Mutex
SHA256: 0b8e662e7e595ef56396a298c367b74721d66591d856e8a8241fcdd60d08373c Location: 0x402A1Epush eax ; name of mutex push 0x0 ; if the thread that creates the mutex owns it (false, in this case) push 0x0 ; optional security descriptor set to NULL, so default security descriptor will be used call dword ptr [->KERNEL32.DLL::CreateMutexW] ; call function to create mutex
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] capa v4.0, analyzed at MITRE on 10/12/2022