modify-registry.md

ID	E1112
Objective(s)	Defense Evasion, Persistence
Related ATT&CK Techniques	Modify RegistryT1112)
Version	2.0
Created	2 August 2022
Last Modified	21 November 2022

Modify Registry

Malware may make changes to the Windows Registry to hide execution or to persist on the system (note that ATT&CK does not extend this behavior to the Persistence objective).

See ATT&CK: Modify Registry (T1112).

Use in Malware

Name	Date	Method	Description
TrickBot	2016	--	Trojan spyware program that has mainly been used for targeting banking sites.
Poison-Ivy	2005	--	After the Poison-Ivy server is running on the target machine, the attacker can use a Windows GUI client to control the target computer. [1]
GotBotKR	2019	--	GoBotKR can modify registry keys to disable Task Manager, Registry Editor and Command Prompt. [2]
Hupigon	2013	--	The malware adds many entries to the registry [3]
Gamut	2014	--	The malware adds a registry key [4]
Kovter	2016	--	The malware modifies the registry during execution [5]
Shamoon	2012	--	Disables remote user account control by enabling the registry key LocalAccountTokenFilterPolicy [6]
CHOPSTICK	2015	--	CHOPSTICK may encrypt and store configuration data inside a registry key [7]
Clipminer	2011	--	Clipminer edits the registry [8]

References

[1] https://www.cyber.nj.gov/threat-profiles/trojan-variants/poison-ivy

[2] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/

[3] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/HUPIGON

[4] https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/gamut-spambot-analysis/

[5] https://blog.malwarebytes.com/threat-analysis/2016/07/untangling-kovter/

[6] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-returns-to-wipe-systems-in-middle-east-europe/

[7] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf

[8] https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/clipminer-bitcoin-mining-hijacking