| ID |
C0007 |
| Objective(s) |
Memory |
| Related ATT&CK Techniques |
None |
| Version |
2.2 |
| Created |
14 August 2020 |
| Last Modified |
30 April 2023 |
Malware allocates memory, often to unpack itself.
| Tool: capa | Mapping | APIs |
|---|
| allocate or change RWX memory | Allocate Memory (C0007) | -- |
| allocate memory | Allocate Memory (C0007) | kernel32.VirtualAlloc, kernel32.VirtualAllocEx, kernel32.VirtualAllocExNuma, kernel32.VirtualProtect, kernel32.VirtualProtectEx, NtAllocateVirtualMemory, ZwAllocateVirtualMemory, NtMapViewOfSection, ZwMapViewOfSection, NtProtectVirtualMemory, ZwProtectVirtualMemory |
| allocate or change RW memory | Allocate Memory (C0007) | -- |
| spawn thread to RWX shellcode | Allocate Memory (C0007) | -- |
| Tool: CAPE | Class | Mapping | APIs |
|---|
| Unpacker | CAPE_Unpacker | Allocate Memory (C0007) | VirtualProtectEx, NtAllocateVirtualMemory, NtProtectVirtualMemory |
Memory::Allocate Memory
SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
Location: 0x422BDC
push 0x40 ; Memory protections to apply to pages in allocated memory region (in this case, PAGE_EXECUTE_READWRITE, which allows execute, read-only, or read/write access to the allocated memory)
push 0x1000 ; The type of allocation to perform (in this case, MEM_COMMIT which allocates empty virtual memory to begin with and only allocates physical pages when needed).
push 0x1000 ; Size of region to allocate in bytes
push 0x0 ; Starting address for region where memory should be allocated (not provided in this example)
call KERNEL32.DLL::VirtualAlloc ; call function to allocate virtual memory
[1] capa v4.0, analyzed at MITRE on 10/12/2022