Scribd
Upload
67 views3 pages

Story 2:: Source Source

1. Several types of malware check the registry for keys related to virtual machines to determine if they are running in a virtual environment. They also check for security products. 2. The top 5 ransomwares - Maze, Conti, REvil, Netwalker, and Clop - all modify registry keys to maintain persistence, disable security tools, and enable privileges like remote desktop access. 3. Specifically, they make changes to the RunOnce registry keys, add keys to the Run section, and modify values under HKLM and HKCU software keys to store configuration data and runtime artifacts.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
67 views3 pages

Story 2:: Source Source

1. Several types of malware check the registry for keys related to virtual machines to determine if they are running in a virtual environment. They also check for security products. 2. The top 5 ransomwares - Maze, Conti, REvil, Netwalker, and Clop - all modify registry keys to maintain persistence, disable security tools, and enable privileges like remote desktop access. 3. Specifically, they make changes to the RunOnce registry keys, add keys to the Run section, and modify values under HKLM and HKCU software keys to store configuration data and runtime artifacts.

Uploaded by

Viren Choudhari
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 3

Story 1:

Some malware reads registry key values and looks for substrings in them that suggest a virtual machine

The Smoke Loader banking trojan, checks registry key values in System\CurrentControlSet\Enum\IDE
and System\CurrentControlSet\Enum\SCSI to search for substrings that match QEMU, VirtualBox,
VMware, or Xen virtualization products (Source)

FinFisher verifies that HKLM\SOFTWARE\Microsoft\Cryptography\MachineGuid does not equal


"6ba1d002-21ed-4dbe-afb5-08cf8b81ca32 (Source)

CozyCar checks the registry key values in

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall for security products (Source)

https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles

Story 2:

Top 5 ransomware and they utilize registry

https://www.fireeye.com/blog/threat-research/2021/05/shining-a-light-on-darkside-ransomware-
operations.html

Top ransomware how they use registry keys

1. Maze (aka ChaCha ransomware) Maze ransomware, first spotted in 2019, quickly


rose to the top of its malware class. ...
Source: 1, 2, 3 , 4, 5
T1112: Modify Registry
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v
fDenyTSConnections /t REG_DWORD /d 0 /f --- enable remote desktop

T1547.001 - Registry Run Keys / Startup Folder

T1012 - Query Registry

2. Conti (aka IOCP ransomware) ...


https://blogs.blackberry.com/en/2021/05/threat-thursday-conti-ransoms-over-400-
organizations-worldwide
https://thedfirreport.com/2021/05/12/conti-ransomware/

T1012 - Query Registry: Conti ransomware first checks the computer name belonging to the
victim, via the registry:

T1562.001 - Impair Defenses: Disable or Modify ToolsThe threat actors disabled Windows
Defender by adding the below to an already linked GPO.
T1547.001 - Registry Run Keys / Startup Folder

3. REvil (aka Sodin, Sodinokibi ransomware) ...


https://www.bleepingcomputer.com/news/security/revil-ransomware-has-a-new-
windows-safe-mode-encryption-mode/
https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/
https://blogs.blackberry.com/en/2021/05/threat-thursday-dr-revil-ransomware-strikes-
again-employs-double-extortion-tactics

T1547.001 - Registry Run Keys / Startup Folder - a couple RunOnce registry keys and then
immediately rebooted the system into Safe Mode with Networking
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\
aDTFUAIa7j :

https://malpedia.caad.fkie.fraunhofer.de/details/win.revil

4. Netwalker (aka Mailto ransomware) ...


https://www.mcafee.com/blogs/other-blogs/mcafee-labs/take-a-netwalk-on-the-wild-
side/
https://www.cynet.com/attack-techniques-hands-on/netwalker-ransomware-report/

Registry Run Key (T1547.001): Place a value on RunOnce key

Modify Registry key (T1112): Create its own registry key in \SOFTWARE\
<uniquename>

T1547.001: A registry key will be set to maintain persistency of the payload on the host in
the following: ‘HKLM/software/’ and ‘HKCU/software/’

T1112 Registry Modification HKLM\Software\CLasses\cmdfile\shell\open\command


5. Clop ransomware.
https://x-phy.com/doppelpaymer-kia-motors/

https://www.cybereason.com/blog/cybereason-vs.-clop-ransomware

https://eforensicsmag.com/detecting-ransomware-precursors-by-andrew-skatoff/

T1562.001: Impair Defenses: Disable or Modify Tools: Clop, disables


Windows Defender in the beginning of its execution. Cybereason detects the
malicious commands executed to silently modify related registry keys:

Source

bitpaymer

https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-
fraud-to-bitpaymer-targeted-ransomware/

Ryuk Ransomware

It added run key

REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V \"microsoft


update\" /t REG_SZ /F /D "SCHTASKS /run /tn 9T6ukfi6"

https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/
REVIL
The mpsvc.dll creates the registry key HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\
BlackLivesMatter which contains several registry values that store encryptor runtime keys/configurations
artifacts. (2)

You might also like

pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy