| ID | B0046 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | None |
| Version | 2.0 |
| Created | 10 November 2021 |
| Last Modified | 13 September 2023 |
Malware may inspect code or enumerate aspects.
| Name | ID | Description |
|---|---|---|
| Enumerate PE Sections | B0046.001 | Malware enumerates virtual offsets of code sections. |
| Inspect Section Memory Permissions | B0046.002 | Malware identifies section memory permissions from image section header. |
| Parse PE Header | B0046.003 | Malware parses the PE header. |
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | B0046.001 | BlackEnergy enumerates PE sections. [1] |
| CryptoLocker | 2013 | B0046.001 | CryptoLocker enumerates PE sections. [1] |
| Dark Comet | 2008 | B0046.001 | DarkComet enumerates PE sections. [1] |
| Emotet | 2018 | B0046.001 | Emotet enumerates PE sections. [1] |
| Gamut | 2014 | B0046.001 | Gamut enumerates PE sections. [1] |
| Hupigon | 2013 | B0046.001 | Hupigon enumerates PE sections. [1] |
| Locky Bart | 2017 | B0046.001 | Locky Bart enumerates PE sections. [1] |
| Redhip | 2011 | B0046.002 | Redhip inspects section memory permissions. [1] |
| Stuxnet | 2010 | B0046.001 | Stuxnet enumerates PE sections. [1] |
| TrickBot | 2016 | B0046.002 | TrickBot inspects section memory permissions. [1] |
| Ursnif | 2016 | B0046.001 | Ursnif enumerates PE sections. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| enumerate PE sections | Code Discovery::Enumerate PE Sections (B0046.001) | |
| inspect section memory permissions | Code Discovery::Inspect Section Memory Permissions (B0046.002) |
[1] capa v4.0, analyzed at MITRE on 10/12/2022