| ID | F0007 |
| Objective(s) | Defense Evasion |
| Related ATT&CK Techniques | Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004) |
| Version | 2.0 |
| Created | 14 August 2020 |
| Last Modified | 21 November 2022 |
Malware may uninstall itself to avoid detection.
See ATT&CK: Indicator Removal on Host: Uninstall Malicious Application (T1630.001), Indicator Removal on Host: File Deletion (T1070.004).
| Name | ID | Description |
|---|---|---|
| COMSPEC Environment Variable | F0007.001 | Uninstalls self via COMSPEC environment variable. |
| Name | Date | Method | Description |
|---|---|---|---|
| Terminator | 2013 | -- | Evades sandboxes by terminating and removing itself (DW20.exe) after installation. [1] |
| CozyCar | 2010 | -- | CozyCar has a dll file that serves as a cleanup mechanism for its dropped binary [[2]]](#2) |
[1] https://www.mandiant.com/resources/hot-knives-through-butter-evading-file-based-sandboxes
[2] https://unit42.paloaltonetworks.com/tracking-minidionis-cozycars-new-ride-is-related-to-seaduke