| ID |
C0047 |
| Objective(s) |
File System |
| Related ATT&CK Techniques |
None |
| Version |
2.3 |
| Created |
4 December 2020 |
| Last Modified |
30 April 2024 |
Malware deletes a file.
| Tool: capa |
Mapping |
APIs |
| delete file |
Delete File (C0047) |
kernel32.DeleteFile, DeleteFileTransacted, NtDeleteFile, ZwDeleteFile, remove, _wremove, System.IO.File::Delete, System.IO.FileSystemInfo::Delete, kernel32.SHFileOperation, MoveFileEx |
| Tool: CAPE |
Class |
Mapping |
APIs |
| clears_logs |
ClearsLogs |
Delete File (C0047) |
-- |
| trickbot_task_delete |
TrickBotTaskDelete |
Delete File (C0047) |
DeleteFileW |
| upatre_behavior |
Upatre_APIs |
Delete File (C0047) |
DeleteFileA |
| ransomware_file_modifications |
RansomwareFileModifications |
Delete File (C0047) |
MoveFileWithProgressW, MoveFileWithProgressTransactedW, NtCreateFile, NtWriteFile |
| anomalous_deletefile |
anomalous_deletefile |
Delete File (C0047) |
NtDeleteFile, DeleteFileW, DeleteFileA |
| deletes_self |
DeletesSelf |
Delete File (C0047) |
NtDeleteFile, DeleteFileW, DeleteFileA, MoveFileWithProgressW, MoveFileWithProgressTransactedW |
| deletes_files |
LinuxDeletesFile |
Delete File (C0047) |
-- |
| ransomware_recyclebin |
RansomwareRecyclebin |
Delete File (C0047) |
-- |
| removes_zoneid_ads |
RemovesZoneIdADS |
Delete File (C0047) |
DeleteFileW, DeleteFileA |
File System::Delete File
SHA256: 000b535ab2a4fec86e2d8254f8ed65c6ebd37309ed68692c929f8f93a99233f6
Location: 0x409BB1
call FUN_00404E80 ; generate file name to delete and store in eax
push eax ; use the name generated by the previous function as an argument to the next function call
call KERNEL32.DLL::DeleteFileA ; delete the file
cmp eax, 0x1 ; if the file was successfully deleted, the previous function call will return a 1 into eax
sbb eax, eax ; isolate the carry flag from the previous comparison. This will only be 1 if the previous command failed, otherwise it will be 0.
[1] capa v4.0, analyzed at MITRE on 10/12/2022