| ID | C0017 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 4 December 2020 |
| Last Modified | 13 September 2023 |
Malware creates a process.
| Name | ID | Description |
|---|---|---|
| Create Process via Shellcode | C0017.001 | Malware uses shellcode to create a process. |
| Create Process via WMI | C0017.002 | Malware uses WMI to create a process. |
| Create Suspended Process | C0017.003 | Malware created a suspended process. |
| Name | Date | Method | Description |
|---|---|---|---|
| Stuxnet | 2010 | C0017.002 | Stuxnet will use WMI operations with the explorer.exe token in order to copy itself and execute on the remote share. [1] |
| BlackEnergy | 2007 | -- | BlackEnergy creates a process on Windows. [2] |
| Dark Comet | 2008 | -- | Dark Comet creates a process on Windows. [2] |
| Gamut | 2014 | -- | Gamut creates a process on Windows. [2] |
| GoBotKR | 2019 | -- | GoBotKR creates a process on Windows. [2] |
| Hupigon | 2013 | -- | Hupigon creates a process on Windows. [2] |
| Kovter | 2016 | -- | Kovter creates a process on Windows. [2] |
| Mebromi | 2011 | -- | Mebromi creates a process on Windows. [2] |
| Redhip | 2011 | -- | Redhip creates a process on Windows. [2] |
| Redhip | 2011 | C0017.003 | Redhip creates a suspended process. [2] |
| Shamoon | 2012 | -- | Shamoon creates a process on Windows. [2] |
| TrickBot | 2016 | -- | TrickBot creates a process on Windows. [2] |
| TrickBot | 2016 | C0017.003 | TrickBot creates a suspended process. [2] |
| UP007 | 2016 | -- | The malware creates a process on Windows. [2] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create process on Windows | Create Process (C0017) | kernel32.WinExec, kernel32.CreateProcess, shell32.ShellExecute, shell32.ShellExecuteEx, advapi32.CreateProcessAsUser, advapi32.CreateProcessWithLogon, advapi32.CreateProcessWithToken, kernel32.CreateProcessInternal, ntdll.NtCreateUserProcess, ntdll.NtCreateProcess, ntdll.NtCreateProcessEx, ntdll.ZwCreateProcess, ZwCreateProcessEx, ntdll.ZwCreateUserProcess, ntdll.RtlCreateUserProcess, System.Diagnostics.Process::Start |
| create process on Linux | Create Process (C0017) | execve, execl, execlp, execle, execv, execvp, execvpe, posix_spawn, posix_spawnp, popen |
| execute command | Create Process (C0017) | system, _system, wsystem, _wsystem |
| create a process with modified I/O handles and window | Create Process (C0017) | kernel32.CreateProcess, kernel32.CreateProcessInternal, advapi32.CreateProcessAsUser, advapi32.CreateProcessWithLogon, advapi32.CreateProcessWithToken, kernel32.GetStartupInfo, System.Diagnostics.Process::Start |
| create process suspended | Create Process::Create Suspended Process (C0017.003) | kernel32.CreateProcess, advapi32.CreateProcessAsUser |
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[2] capa v4.0, analyzed at MITRE on 10/12/2022