| ID | C0042 |
| Objective(s) | Process |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 4 December 2020 |
| Last Modified | 13 September 2023 |
Malware creates a mutex.
| Name | Date | Method | Description |
|---|---|---|---|
| Poison Ivy | 2005 | -- | Poison Ivy has a default process mutex, but can be altered at build time. [1] |
| Stuxnet | 2010 | -- | Malware creates global mutexes that signal rootkit installation has occurred successfully. [2] |
| Hupigon | 2013 | -- | Hupigon creates a mutex. [3] |
| Kovter | 2016 | -- | Kovter creates a mutex. [3] |
| Redhip | 2011 | -- | Redhip creates a mutex. [3] |
| Rombertik | 2015 | -- | Rombertik creates a mutex. [3] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| create mutex | Create Mutex (C0042) | kernel32.CreateMutex, kernel32.CreateMutexEx, System.Threading.Mutex::ctor |
| lock file | Create Mutex (C0042) | fcntl |
[1] https://www.fortinet.com/blog/threat-research/deep-analysis-of-new-poison-ivy-variant
[2] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[3] capa v4.0, analyzed at MITRE on 10/12/2022