Resume Thread
May 1, 2024 ยท View on GitHub
| ID | C0054 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 14 January 2021 |
| Last Modified | 30 April 2024 |
Resume Thread
Malware resumes a thread.
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| CryptoLocker | 2013 | -- | CryptoLocker resumes thread. [1] |
| Dark Comet | 2008 | -- | Dark Comet resumes a thread. [1] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| resume thread | Resume Thread (C0054) | kernel32.ResumeThread, ntdll.NtResumeThread, ntdll.ZwResumeThread, System.Threading.Thread::Resume |
C0054 Snippet
Process::Resume Thread
SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db Location: 0x41B345push esi ; Where to store return value mov ebx, param_1 mov param_1, dword ptr [ebx + 0x4] push param_1 ; Handle to thread to resume call KERNEL32.DLL::ResumeThread ; API call to resume thread
References
[1] capa v4.0, analyzed at MITRE on 10/12/2022