| ID | C0017 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.2 |
| Created | 4 December 2020 |
| Last Modified | 30 April 2024 |
Malware creates a process.
| Name | ID | Description |
|---|---|---|
| Create Process via Shellcode | C0017.001 | Malware uses shellcode to create a process. |
| Create Process via WMI | C0017.002 | Malware uses WMI to create a process. |
| Create Suspended Process | C0017.003 | Malware created a suspended process. |
| Name | Date | Method | Description |
|---|---|---|---|
| Stuxnet | 2010 | C0017.002 | Stuxnet will use WMI operations with the explorer.exe token in order to copy itself and execute on the remote share. [1] |
| BlackEnergy | 2007 | -- | BlackEnergy creates a process on Windows. [2] |
| Dark Comet | 2008 | -- | Dark Comet creates a process on Windows. [2] |
| Gamut | 2014 | -- | Gamut creates a process on Windows. [2] |
| GoBotKR | 2019 | -- | GoBotKR creates a process on Windows. [2] |
| Hupigon | 2013 | -- | Hupigon creates a process on Windows. [2] |
| Kovter | 2016 | -- | Kovter creates a process on Windows. [2] |
| Mebromi | 2011 | -- | Mebromi creates a process on Windows. [2] |
| Redhip | 2011 | -- | Redhip creates a process on Windows. [2] |
| Redhip | 2011 | C0017.003 | Redhip creates a suspended process. [2] |
| Shamoon | 2012 | -- | Shamoon creates a process on Windows. [2] |
| TrickBot | 2016 | -- | TrickBot creates a process on Windows. [2] |
| TrickBot | 2016 | C0017.003 | TrickBot creates a suspended process. [2] |
| UP007 | 2016 | -- | The malware creates a process on Windows. [2] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create process on Windows | Create Process (C0017) | kernel32.WinExec, kernel32.CreateProcess, shell32.ShellExecute, shell32.ShellExecuteEx, advapi32.CreateProcessAsUser, advapi32.CreateProcessWithLogon, advapi32.CreateProcessWithToken, kernel32.CreateProcessInternal, ntdll.NtCreateUserProcess, ntdll.NtCreateProcess, ntdll.NtCreateProcessEx, ntdll.ZwCreateProcess, ZwCreateProcessEx, ntdll.ZwCreateUserProcess, ntdll.RtlCreateUserProcess, System.Diagnostics.Process::Start |
| create process on Linux | Create Process (C0017) | execve, execl, execlp, execle, execv, execvp, execvpe, posix_spawn, posix_spawnp, popen, fork |
| execute command | Create Process (C0017) | system, _system, wsystem, _wsystem |
| create a process with modified I/O handles and window | Create Process (C0017) | kernel32.CreateProcess, kernel32.CreateProcessInternal, advapi32.CreateProcessAsUser, advapi32.CreateProcessWithLogon, advapi32.CreateProcessWithToken, kernel32.GetStartupInfo, System.Diagnostics.Process::Start |
| create process suspended | Create Process::Create Suspended Process (C0017.003) | kernel32.CreateProcess, advapi32.CreateProcessAsUser |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| stealth_system_procname | StealthSystemProcName | Create Process (C0017) | ShellExecuteExW, CreateProcessInternalW |
| stack_pivot | StackPivotProcessCreate | Create Process (C0017) | CreateProcessInternalW, NtCreateUserProcess |
| wmi | WMICreateProcess | Create Process:Create Process via WMI (C0017.002) | CreateProcessInternalW, NtCreateUserProcess |
| script_downloader | ScriptCreatedProcess | Create Process (C0017) | CreateProcessInternalW, NtCreateUserProcess |
Process::Create Process
SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db Location: 0x458C26lea param_1, [ebp + 0xfffffeb0] push param_1 ; pointer to PROCESS_INFORMATION struct to hold information about the new process lea param_1, [ebp + 0xfffffec0] push param_1 ; pointer to STARTUPINFO struct push 0x0 ; path to directory for new process -- if null, use same directory as calling process push 0x0 ; environment block for new process -- if null, use the calling process's environment block push 0x4 ; process creation flags (CREATE_SUSPENDED in this case) push 0x0 ; if heritable handles in the calling process should be inherited by the new process. If false, inheritance will not occur. push 0x0 ; security attributes for new process. If null, child processes cannot inherit thread running new process push 0x0 ; security attributes for new process. If null, child processes cannot inherit handle for new process mov param_1, dword ptr [ebp + local_8] call FUN_00404dfc push param_1 ; command line for new process to execute push 0x0 ; application name to be executed. If null, use command line provided in another argument call KERNEL32.DLL::CreateProcessA ; Call Windows API function to create new process
[1] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[2] capa v4.0, analyzed at MITRE on 10/12/2022