| ID | E1112 |
| Objective(s) | Defense Evasion, Persistence |
| Related ATT&CK Techniques | Modify Registry (T1112) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 19 September 2023 |
Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).
See ATT&CK: Modify Registry (T1112).
| Name | Date | Method | Description |
|---|---|---|---|
| GoBotKR | 2019 | -- | GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [2] |
| Hupigon | 2013 | -- | The malware adds many entries to the registry. [3] |
| Gamut | 2014 | -- | The malware adds a registry key. [4] |
| Kovter | 2016 | -- | The malware modifies the registry during execution. [5] |
| Shamoon | 2012 | -- | Shamoon disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy. [6] |
| CHOPSTICK | 2015 | -- | CHOPSTICK may encrypt and store configuration data inside a registry key. [7] |
| Clipminer | 2011 | -- | Clipminer edits the registry. [8] |
[1] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking
[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON
[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/
[5] https://labs.vipre.com/analysis-of-kovter-a-very-clever-piece-of-malware/#:~:text=Kovter%20copies%20the%20fileless%20persistence,written%20on%20to%20the%20filesystem.
[6] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/
[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[8] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking