| ID |
C0018 |
| Objective(s) |
Process |
| Related ATT&CK Techniques |
None |
| Version |
2.2 |
| Created |
14 August 2020 |
| Last Modified |
30 April 2024 |
Malware terminates a process.
| Name |
Date |
Method |
Description |
| BlackEnergy |
2007 |
-- |
BlackEnergy terminates a process via fastfail. [1] |
| GoBotKR |
2019 |
-- |
GoBotKR terminates processes. [1] |
| GravityRAT |
2018 |
-- |
GravityRAT terminates processes. [1] |
| Hupigon |
2013 |
-- |
Hupigon terminates processes. [1] |
| Kovter |
2016 |
-- |
Kovter terminates processes. [1] |
| Shamoon |
2012 |
-- |
Shamoon terminates processes. [1] |
| Stuxnet |
2010 |
-- |
Stuxnet terminates processes. [1] |
| TrickBot |
2016 |
-- |
TrickBot terminates processes. [1] |
| UP007 |
2016 |
-- |
UP007 terminates processes. [1] |
| Tool: capa |
Mapping |
APIs |
| check mutex and exit |
Terminate Process (C0018) |
ExitProcess, exit, _Exit, _exit, WaitForSingleObject, GetLastError |
| terminate process via kill |
Terminate Process (C0018) |
kill |
| terminate process |
Terminate Process (C0018) |
System.Diagnostics.Process::Kill, System.Diagnostics.Process::WaitForExit, System.Diagnostics.Process::WaitForExitAsync, System.Environment::Exit, System.Windows.Forms.Application::Exit, kernel32.TerminateProcess, ntdll.NtTerminateProcess, kernel32.ExitProcess |
Process::Terminate Process
SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f
Location: 0x1400083c7
mov ecx, eax ; use the value stored in eax as the exit status for the exited process
call qword ptr [->MSVCRT.DLL::exit] ; call the Windows API function to terminate the process
[1] capa v4.0, analyzed at MITRE on 10/12/2022