Professional Documents
Culture Documents
Some malware reads registry key values and looks for substrings in them that suggest a virtual machine
The Smoke Loader banking trojan, checks registry key values in System\CurrentControlSet\Enum\IDE
and System\CurrentControlSet\Enum\SCSI to search for substrings that match QEMU, VirtualBox,
VMware, or Xen virtualization products (Source)
https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles
Story 2:
https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-
operations.html
T1012 - Query Registry: Conti ransomware first checks the computer name belonging to the
victim, via the registry:
T1562.001 - Impair Defenses: Disable or Modify ToolsThe threat actors disabled Windows
Defender by adding the below to an already linked GPO.
T1547.001 - Registry Run Keys / Startup Folder
T1547.001 - Registry Run Keys / Startup Folder - a couple RunOnce registry keys and then
immediately rebooted the system into Safe Mode with Networking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
aDTFUAIa7j :
https://malpedia.caad.fkie.fraunhofer.de/details/win.revil
Modify Registry key (T1112): Create its own registry key in \SOFTWARE\
<uniquename>
T1547.001: A registry key will be set to maintain persistency of the payload on the host in
the following: ‘HKLM/software/’ and ‘HKCU/software/’
https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware
https://eforensicsmag.com/detecting-ransomware-precursors-by-andrew-skatoff/
Source
bitpaymer
https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-
fraud-to-bitpaymer-targeted-ransomware/
Ryuk Ransomware
https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
REVIL
The mpsvc.dll creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations
artifacts. (2)