| ID | C0007 |
| Objective(s) | Memory |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 14 August 2020 |
| Last Modified | 13 September 2023 |
Malware allocates memory, often to unpack itself.
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoLocker | 2013 | -- | CryptoLocker allocates RWX memory. [1] |
| Dark Comet | 2008 | -- | Dark Comet allocates RWX memory. [1] |
| DNSChanger | 2011 | -- | DNSChanger allocates RWX memory. [1] |
| Hupigon | 2013 | -- | Hupigon allocates RWX memory. [1] |
| Mebromi | 2011 | -- | Mebromi allocates RWX memory. [1] |
| Redhip | 2011 | -- | Redhip spawns threads to RWX shellcode. [1] |
| Rombertik | 2015 | -- | Rombertik allocates RWX memory. [1] |
| Stuxnet | 2010 | -- | Stuxnet allocates RWX memory. [1] |
| TrickBot | 2016 | -- | TrickBot allocates RWX memory. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| allocate RWX memory | Allocate Memory (C0007) | |
| allocate memory | Allocate Memory (C0007) | kernel32.VirtualAlloc, kernel32.VirtualAllocEx, kernel32.VirtualAllocExNuma, kernel32.VirtualProtect, kernel32.VirtualProtectEx, NtAllocateVirtualMemory, ZwAllocateVirtualMemory, NtMapViewOfSection, ZwMapViewOfSection, NtProtectVirtualMemory, ZwProtectVirtualMemory |
| allocate RW memory | Allocate Memory (C0007) | |
| spawn thread to RWX shellcode | Allocate Memory (C0007) |
[1] capa v4.0, analyzed at MITRE on 10/12/2022