Terminate Process

October 2, 2024 · View on GitHub

ID	C0018
Objective(s)	Process
Related ATT&CK Techniques	None
Version	2.2
Created	14 August 2020
Last Modified	30 April 2024

Terminate Process

Malware terminates a process.

Use in Malware

Name	Date	Method	Description
BlackEnergy	2007	--	BlackEnergy terminates a process via fastfail. [1]
GoBotKR	2019	--	GoBotKR terminates processes. [1]
GravityRAT	2018	--	GravityRAT terminates processes. [1]
Hupigon	2013	--	Hupigon terminates processes. [1]
Kovter	2016	--	Kovter terminates processes. [1]
Shamoon	2012	--	Shamoon terminates processes. [1]
Stuxnet	2010	--	Stuxnet terminates processes. [1]
TrickBot	2016	--	TrickBot terminates processes. [1]
UP007	2016	--	UP007 terminates processes. [1]

Detection

Tool: capa	Mapping	APIs
check mutex and exit	Terminate Process (C0018)	ExitProcess, exit, _Exit, _exit, WaitForSingleObject, GetLastError
terminate process via kill	Terminate Process (C0018)	kill
terminate process	Terminate Process (C0018)	System.Diagnostics.Process::Kill, System.Diagnostics.Process::WaitForExit, System.Diagnostics.Process::WaitForExitAsync, System.Environment::Exit, System.Windows.Forms.Application::Exit, kernel32.TerminateProcess, ntdll.NtTerminateProcess, kernel32.ExitProcess

Tool: CAPE	Class	Mapping	APIs
terminates_remote_process	TerminatesRemoteProcess	Terminate Process (C0018)	NtTerminateProcess

C0018 Snippet

Process::Terminate Process

SHA256: 27253651170386863b148afb2a0fdda7780ae65cbc31405acbd99fa06b44b79f Location: 0x1400083c7

mov     ecx, eax        ; use the value stored in eax as the exit status for the exited process
call    qword ptr [->MSVCRT.DLL::exit]  ; call the Windows API function to terminate the process

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022