ID	C0054
Objective(s)	Process
Related ATT&CK Techniques	None
Version	2.2
Created	14 January 2021
Last Modified	30 April 2024

Resume Thread

Malware resumes a thread.

Use in Malware

Name	Date	Method	Description
CryptoLocker	2013	--	CryptoLocker resumes thread. [1]
Dark Comet	2008	--	Dark Comet resumes a thread. [1]

Detection

Tool: capa	Mapping	APIs
resume thread	Resume Thread (C0054)	kernel32.ResumeThread, ntdll.NtResumeThread, ntdll.ZwResumeThread, System.Threading.Thread::Resume

C0054 Snippet

Process::Resume Thread

SHA256: 465d3aac3ca4daa9ad4de04fcb999f358396efd7abceed9701c9c28c23c126db Location: 0x41B345

push    esi     ; Where to store return value
mov     ebx, param_1
mov     param_1, dword ptr [ebx + 0x4]
push    param_1 ; Handle to thread to resume
call    KERNEL32.DLL::ResumeThread      ; API call to resume thread

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

resume-thread.md

resume-thread.md

Resume Thread

Use in Malware

Detection

C0054 Snippet

References

Files

resume-thread.md

Latest commit

History

resume-thread.md

File metadata and controls

Resume Thread

Use in Malware

Detection

C0054 Snippet

References