Professional Documents
Culture Documents
Blog 1
Blog 1
Some malware reads registry key values and looks for substrings in them that suggest a virtual machine
The Smoke Loader banking trojan, checks registry key values in System\CurrentControlSet\
Enum\IDE and System\CurrentControlSet\Enum\SCSI to search for substrings that match QEMU,
VirtualBox, VMware, or Xen virtualization products (Source)
FinFisher verifies that HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid does not
equal "6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 (Source)
CozyCar checks the registry key values in SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall for security products (Source)
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles
Story 2:
T1562.001 - Impair Defenses: Disable or Modify ToolsThe threat actors disabled Windows
Defender by adding the below to an already linked GPO.
T1547.001 - Registry Run Keys / Startup Folder
T1547.001 - Registry Run Keys / Startup Folder - a couple RunOnce registry keys and then
immediately rebooted the system into Safe Mode with Networking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
aDTFUAIa7j :
https://malpedia.caad.fkie.fraunhofer.de/details/win.revil
Modify Registry key (T1112): Create its own registry key in \SOFTWARE\
<uniquename>
T1547.001: A registry key will be set to maintain persistency of the payload on the host in
the following: ‘HKLM/software/’ and ‘HKCU/software/’
5. Clop ransomware.
T1562.001: Impair Defenses: Disable or Modify Tools: Clop, disables
Windows Defender in the beginning of its execution. Cybereason detects the
malicious commands executed to silently modify related registry keys: