Skip to content

T1027.007 Dynamic API Resolution

Adversaries may obfuscate then dynamically resolve API functions called by their malware in order to conceal malicious functionalities and impair defensive analysis. Malware commonly uses various Native API functions provided by the OS to perform various tasks such as those involving processes, files, and other system artifacts.

API functions called by malware may leave static artifacts such as strings in payload files. Defensive analysts may also uncover which functions a binary file may execute via an import address table (IAT) or other structures that help dynamically link calling code to the shared modules that provide functions.14

To avoid static or other defensive analysis, adversaries may use dynamic API resolution to conceal malware characteristics and functionalities. Similar to Software Packing, dynamic API resolution may change file signatures and obfuscate malicious API function calls until they are resolved and invoked during runtime.

Various methods may be used to obfuscate malware calls to API functions. For example, hashes of function names are commonly stored in malware in lieu of literal strings. Malware can use these hashes (or other identifiers) to manually reproduce the linking and loading process using functions such as GetProcAddress() and LoadLibrary(). These hashes/identifiers can also be further obfuscated using encryption or other string manipulation tricks (requiring various forms of Deobfuscate/Decode Files or Information during execution).231

Item Value
ID T1027.007
Sub-techniques T1027.001, T1027.002, T1027.003, T1027.004, T1027.005, T1027.006, T1027.007, T1027.008, T1027.009, T1027.010, T1027.011
Tactics TA0005
Platforms Windows
Version 1.0
Created 22 August 2022
Last Modified 23 August 2022

Procedure Examples

ID Name Description
S1053 AvosLocker AvosLocker has used obfuscated API calls that are retrieved by their checksums.9
S0534 Bazar Bazar can hash then resolve API calls at runtime.78
S1063 Brute Ratel C4 Brute Ratel C4 can call and dynamically resolve hashed APIs.5
G0032 Lazarus Group Lazarus Group has used a custom hashing method to resolve APIs used in shellcode.10
S0147 Pteranodon Pteranodon can use a dynamic Windows hashing algorithm to map API components.6


ID Data Source Data Component
DS0022 File File Metadata
DS0011 Module Module Load
DS0009 Process OS API Execution