| ID | C0036 |
| Objective(s) | Operating System |
| Related ATT&CK Techniques | None |
| Version | 2.3 |
| Created | 4 December 2020 |
| Last Modified | 30 April 2024 |
Malware modifies the registry.
| Name | ID | Description |
|---|---|---|
| Create Registry Key | C0036.004 | Malware creates a registry key. |
| Delete Registry Key | C0036.002 | Malware deletes a registry key. |
| Delete Registry Value | C0036.007 | Malware deletes a registry value. |
| Open Registry Key | C0036.003 | Malware opens a registry key. |
| Query Registry Key | C0036.005 | Malware queries a registry key. |
| Query Registry Value | C0036.006 | Malware queries a registry value. |
| Set Registry Value | C0036.001 | Malware sets a registry value. |
| Name | Date | Method | Description |
|---|---|---|---|
| BlackEnergy | 2007 | C0036.005 | BlackEnergy queries or enumerates a registry key. [1] |
| BlackEnergy | 2007 | C0036.006 | BlackEnergy queries or enumerates a registry value. [1] |
| Dark Comet | 2008 | C0036.001 | Dark Comet sets registry values. [1] |
| Dark Comet | 2008 | C0036.002 | Dark Comet deletes registry keys. [1] |
| Dark Comet | 2008 | C0036.005 | Dark Comet queries or enumerates registry keys. [1] |
| Dark Comet | 2008 | C0036.006 | Dark Comet queries or enumerates registry values. [1] |
| Dark Comet | 2008 | C0036.007 | Dark Comet deletes registry values. [1] |
| DNSChanger | 2011 | C0036.001 | DNSChanger sets registry keys. [1] |
| DNSChanger | 2011 | C0036.006 | DNSChanger queries or enumerates registry values. [1] |
| Gamut | 2014 | C0036.001 | Gamut sets registry values. [1] |
| Gamut | 2014 | C0036.002 | Gamut deletes registry keys. [1] |
| Gamut | 2014 | C0036.005 | Gamut queries or enumerates registry keys. [1] |
| Gamut | 2014 | C0036.006 | Gamut queries or enumerates registry values. [1] |
| Gamut | 2014 | C0036.007 | Gamut deletes registry values. [1] |
| GoBotKR | 2019 | C0036.006 | GoBotKR queries or enumerates registry values. [1] |
| Hupigon | 2013 | C0036.001 | Hupigon sets registry values. [1] |
| Hupigon | 2013 | C0036.002 | Hupigon deletes registry keys. [1] |
| Hupigon | 2013 | C0036.005 | Hupigon queries or enumerates registry keys. [1] |
| Hupigon | 2013 | C0036.006 | Hupigon queries or enumerates registry values. [1] |
| Hupigon | 2013 | C0036.007 | Hupigon deletes registry values. [1] |
| Kovter | 2016 | C0036.004 | Kovter creates or opens registry keys. [1] |
| Kovter | 2016 | C0036.006 | Kovter queries or enumerates registry values. [1] |
| Locky Bart | 2017 | C0036.001 | Locky Bart sets registry values. [1] |
| Poison Ivy | 2005 | C0036.006 | Poison Ivy queries or enumerates registry values. [1] |
| Redhip | 2011 | C0036.001 | Redhip set registry values. [1] |
| Redhip | 2011 | C0036.002 | Redhip deletes registry keys. [1] |
| Redhip | 2011 | C0036.006 | Redhip queries or enumerates registry values. [1] |
| Rombertik | 2015 | C0036.001 | Rombertik sets registry values. [1] |
| Rombertik | 2015 | C0036.002 | Rombertik deletes registry keys. [1] |
| Rombertik | 2015 | C0036.006 | Rombertik queries or enumerates registry values. [1] |
| Shamoon | 2012 | C0036.006 | Shamoon queries or enumerates registry values. [1] |
| Shamoon | 2012 | C0036.007 | Shamoon deletes registry values. [1] |
| UP007 | 2016 | C0036.001 | UP007 sets registry values. [1] |
| UP007 | 2016 | C0036.006 | UP007 queries or enumerates registry values. [1] |
| Tool: capa | Mapping | APIs |
|---|---|---|
| set registry key via offline registry library | Registry::Set Registry Key (C0036.001) | ORSetValue, ORSaveHive |
| open registry key via offline registry library | Registry::Open Registry Key (C0036.003) | OROpenHive, OROpenKey |
| query or enumerate registry key | Registry::Query Registry Key (C0036.005) | advapi32.RegEnumKey, advapi32.RegEnumKeyEx, advapi32.RegQueryInfoKeyA, ZwQueryKey, ZwEnumerateKey, NtQueryKey, NtEnumerateKey, RtlCheckRegistryKey, SHEnumKeyEx, SHQueryInfoKey, SHRegEnumUSKey, SHRegQueryInfoUSKey, Microsoft.Win32.RegistryKey::GetSubKeyNames, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::OpenSubKey |
| query or enumerate registry value | Registry::Query Registry Value (C0036.006) | advapi32.RegGetValue, advapi32.RegEnumValue, advapi32.RegQueryValue, advapi32.RegQueryValueEx, advapi32.RegQueryMultipleValues, ZwQueryValueKey, ZwEnumerateValueKey, NtQueryValueKey, NtEnumerateValueKey, RtlQueryRegistryValues, SHGetValue, SHEnumValue, SHRegGetInt, SHRegGetPath, SHRegGetValue, SHQueryValueEx, SHRegGetUSValue, SHOpenRegStream, SHRegEnumUSValue, SHOpenRegStream2, SHRegQueryUSValue, SHRegGetBoolUSValue, SHRegGetValueFromHKCUHKLM, SHRegGetBoolValueFromHKCUHKLM, Microsoft.Win32.RegistryKey::GetValue, Microsoft.Win32.RegistryKey::GetValueKind, Microsoft.Win32.RegistryKey::GetValueNames, Microsoft.Win32.Registry::GetValue |
| query registry key via offline registry library | Registry::Query Registry Value (C0036.006) | ORGetValue |
| create registry key via offline registry library | Registry::Create Registry Key (C0036.004) | ORCreateHive, ORCreateKey |
| set registry value | Registry::Set Registry Key (C0036.001) | advapi32.RegSetValue, advapi32.RegSetValueEx, advapi32.RegSetKeyValue, ZwSetValueKey, NtSetValueKey, RtlWriteRegistryValue, SHSetValue, SHRegSetPath, SHRegSetValue, SHRegSetUSValue, SHRegWriteUSValue, Microsoft.Win32.RegistryKey::SetValue, Microsoft.Win32.Registry::SetValue |
| delete registry key | Registry::Delete Registry Key (C0036.002) | advapi32.RegDeleteKey, advapi32.RegDeleteTree, advapi32.RegDeleteKeyEx, advapi32.RegDeleteKeyTransacted, ZwDeleteKey, NtDeleteKey, SHDeleteKey, SHDeleteEmptyKey, SHRegDeleteEmptyUSKey, Microsoft.Win32.RegistryKey::DeleteSubKey, Microsoft.Win32.RegistryKey::DeleteSubKeyTree |
| delete registry value | Registry::Delete Registry Value (C0036.007) | advapi32.RegDeleteValue, advapi32.RegDeleteKeyValue, ZwDeleteValueKey, NtDeleteValueKey, RtlDeleteRegistryValue, SHDeleteValue, SHRegDeleteUSValue, Microsoft.Win32.RegistryKey::DeleteValue |
| create or open registry key | Registry::Create Registry Key (C0036.004) | advapi32.RegOpenKey, advapi32.RegOpenKeyEx, advapi32.RegCreateKey, advapi32.RegCreateKeyEx, advapi32.RegOpenCurrentUser, advapi32.RegOpenKeyTransacted, advapi32.RegOpenUserClassesRoot, advapi32.RegCreateKeyTransacted, ZwOpenKey, ZwOpenKeyEx, ZwCreateKey, ZwOpenKeyTransacted, ZwOpenKeyTransactedEx, ZwCreateKeyTransacted, NtOpenKey, NtCreateKey, SHRegOpenUSKey, SHRegCreateUSKey, RtlCreateRegistryKey, Microsoft.Win32.RegistryKey::OpenSubKey, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::CreateSubKey |
| create or open registry key | Registry::Open Registry Key (C0036.003) | advapi32.RegOpenKey, advapi32.RegOpenKeyEx, advapi32.RegCreateKey, advapi32.RegCreateKeyEx, advapi32.RegOpenCurrentUser, advapi32.RegOpenKeyTransacted, advapi32.RegOpenUserClassesRoot, advapi32.RegCreateKeyTransacted, ZwOpenKey, ZwOpenKeyEx, ZwCreateKey, ZwOpenKeyTransacted, ZwOpenKeyTransactedEx, ZwCreateKeyTransacted, NtOpenKey, NtCreateKey, SHRegOpenUSKey, SHRegCreateUSKey, RtlCreateRegistryKey, Microsoft.Win32.RegistryKey::OpenSubKey, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::CreateSubKey |
| Tool: CAPE | Class | Mapping | APIs |
|---|---|---|---|
| darkcomet_regkeys | DarkCometRegkeys | Registry (C0036) | -- |
| ransomware_revil_regkey | RevilRegkey | Registry (C0036) | -- |
| browser_security | BrowserSecurity | Registry::Set Registry Value (C0036.001) | -- |
| disables_notificationcenter | DisablesNotificationCenter | Registry (C0036) | -- |
| removes_networking_icon | RemovesNetworkingIcon | Registry (C0036) | -- |
| tampers_powershell_logging | TampersPowerShellLogging | Registry (C0036) | -- |
| disables_power_options | DisablesPowerOptions | Registry (C0036) | -- |
| browser_startpage | browser_startpage | Registry::Set Registry Value (C0036.001) | -- |
| disables_restore_default_state | DisablesRestoreDefaultState | Registry (C0036) | -- |
| antivm_generic_cpu | AntiVMCPU | Registry::Query Registry Key (C0036.005) | RegQueryValueExW, RegQueryValueExA, NtQueryValueKey |
| prevents_safeboot | prevents_safeboot | Registry (C0036) | -- |
| disables_smartscreen | DisablesSmartScreen | Registry (C0036) | -- |
| disables_context_menus | DisablesContextMenus | Registry (C0036) | -- |
| antivm_generic_bios | AntiVMBios | Registry::Query Registry Key (C0036.005) | -- |
| disables_run_command | DisableRunCommand | Registry (C0036) | -- |
| persistence_ifeo | PersistenceIFEO | Registry (C0036) | -- |
| persistence_ifeo | PersistenceSilentProcessExit | Registry (C0036) | -- |
| antivm_vbox_keys | VBoxDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| packer_armadillo_regkey | ArmadilloRegKey | Registry (C0036) | -- |
| disables_backups | DisablesBackups | Registry (C0036) | -- |
| antianalysis_detectreg | AntiAnalysisDetectReg | Registry::Open Registry Key (C0036.003) | -- |
| creates_largekey | CreatesLargeKey | Registry (C0036) | RegSetValueExA, RegSetValueExW, NtSetValueKey |
| removes_username_startmenu | RemovesUsernameStartMenu | Registry (C0036) | -- |
| stealth_hiddenreg | StealthHiddenReg | Registry (C0036) | -- |
| disables_startmenu_search | DisablesStartMenuSearch | Registry (C0036) | -- |
| antivm_hyperv_keys | HyperVDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| creates_nullvalue | CreatesNullValue | Registry (C0036) | NtCreateKey, NtSetValueKey |
| antivm_generic_scsi | AntiVMSCSI | Registry::Query Registry Key (C0036.005) | RegOpenKeyExW, RegQueryValueExA, RegQueryValueExW, RegOpenKeyExA |
| disables_appv_virtualization | DisablesAppVirtualiztion | Registry (C0036) | -- |
| antivm_xen_keys | XenDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_parallels_keys | ParallelsDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_generic_diskreg | AntiVMDiskReg | Registry::Query Registry Key (C0036.005) | -- |
| antivm_vpc_keys | AntiVMDiskReg | Registry::Query Registry Key (C0036.005) | -- |
| disables_folder_options | DisableFolderOptions | Registry (C0036) | -- |
| office_security | OfficeSecurity | Registry (C0036) | -- |
| antivm_bochs_keys | BochsDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| tampers_etw | TampersETW | Registry (C0036) | -- |
| disables_event_logging | DisablesEventLogging | Registry (C0036) | -- |
| antivm_generic_system | AntiVMSystem | Registry::Query Registry Key (C0036.005) | -- |
| browser_addon | BrowserAddon | Registry::Set Registry Value (C0036.001) | -- |
| removes_startmenu_defaults | RemovesStartMenuDefaults | Registry (C0036) | -- |
| disables_uac | DisablesUAC | Registry (C0036) | -- |
| disables_wer | DisablesWER | Registry (C0036) | -- |
| antivm_generic_services | AntiVMServices | Registry::Query Registry Key (C0036.005) | RegOpenKeyExW, RegEnumKeyExW, RegEnumKeyExA, RegOpenKeyExA |
| antivm_generic_services | AntiVMServices | Registry::Query Registry Value (C0036.006) | RegOpenKeyExW, RegEnumKeyExW, RegEnumKeyExA, RegOpenKeyExA |
| antiav_detectreg | AntiAVDetectReg | Registry::Query Registry Key (C0036.005) | -- |
| antivm_vmware_keys | VMwareDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| disables_windowsupdate | DisablesWindowsUpdate | Registry (C0036) | -- |
| recon_programs | InstalledApps | Registry (C0036) | RegQueryValueExA, RegQueryValueExW |
| antiav_srp | AntiAVSRP | Registry::Set Registry Value (C0036.001) | -- |
| recon_fingerprint | Fingerprint | Registry (C0036) | -- |
| removes_pinned_programs | RemovesPinnedPrograms | Registry (C0036) | -- |
| bypass_firewall | BypassFirewall | Registry::Set Registry Value (C0036.001) | -- |
| antivm_vmware_keys | VMwareDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_vbox_keys | VBoxDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| disables_smartscreen | DisablesSmartScreen | Registry (C0036) | -- |
| recon_fingerprint | Fingerprint | Registry (C0036) | -- |
| browser_proxy | ModifyProxy | Registry::Set Registry Value (C0036.001) | -- |
| stealth_hiddenextension | StealthHiddenExtension | Registry (C0036) | -- |
| rat_blackremote | BlackRATRegistryKeys | Registry (C0036) | RegSetValueExW, RegQueryValueExW |
| disables_event_logging | DisablesEventLogging | Registry (C0036) | -- |
| disables_sysrestore | DisablesSystemRestore | Registry (C0036) | -- |
| removes_pinned_programs | RemovesPinnedPrograms | Registry (C0036) | -- |
| removes_startmenu_defaults | RemovesStartMenuDefaults | Registry (C0036) | -- |
| rat_warzone | WarzoneRATRegkeys | Registry (C0036) | -- |
| bypass_firewall | BypassFirewall | Registry::Set Registry Value (C0036.001) | -- |
| stealth_hidenotifications | StealthHideNotifications | Registry (C0036) | -- |
| stealth_hiddenreg | StealthHiddenReg | Registry (C0036) | -- |
| ransomware_revil_regkey | RevilRegkey | Registry (C0036) | -- |
| accesses_netlogon | AccessesMailslot | Registry::Open Registry Key (C0036.003) | -- |
| accesses_netlogon | AccessesNetlogonRegkey | Registry::Open Registry Key (C0036.003) | -- |
| browser_addon | BrowserAddon | Registry::Set Registry Value (C0036.001) | -- |
| antivm_generic_scsi | AntiVMSCSI | Registry::Query Registry Key (C0036.005) | RegOpenKeyExA, RegOpenKeyExW, RegQueryValueExA, RegQueryValueExW |
| recon_programs | InstalledApps | Registry (C0036) | RegQueryValueExA, RegQueryValueExW |
| disables_windefender | DisablesWindowsDefender | Registry (C0036) | -- |
| disables_windefender | RemovesWindowsDefenderContextMenu | Registry (C0036) | -- |
| disables_windefender | DisablesWindowsDefenderLogging | Registry (C0036) | -- |
| disables_windefender | DisablesWindowsDefenderDISM | Registry (C0036) | -- |
| office_dll_loading | OfficePerfKey | Registry (C0036) | -- |
| disables_folder_options | DisableFolderOptions | Registry (C0036) | -- |
| ransomware_radamant | RansomwareRadamant | Registry (C0036) | -- |
| antiav_bypass | ModifiesAttachmentManager | Registry::Set Registry Value (C0036.001) | -- |
| rat_spynet | SpynetRat | Registry (C0036) | -- |
| rat_njrat_regkeys | NjratRegkeys | Registry (C0036) | -- |
| disables_uac | DisablesUAC | Registry (C0036) | -- |
| remcos | RemcosRegkeys | Registry (C0036) | -- |
| disables_power_options | DisablesPowerOptions | Registry (C0036) | -- |
| browser_bho | BrowserHelperObject | Registry::Set Registry Value (C0036.001) | -- |
| disables_windowsupdate | DisablesWindowsUpdate | Registry (C0036) | -- |
| antivm_vpc_keys | VPCDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_hyperv_keys | HyperVDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_xen_keys | XenDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| antivm_generic_system | AntiVMSystem | Registry::Query Registry Key (C0036.005) | -- |
| antiemu_wine | WineDetectReg | Registry::Query Registry Key (C0036.005) | -- |
| virus_neshta | NeshtaRegKeys | Registry (C0036) | RegSetValueExA, RegSetValueExW |
| antivm_generic_bios | AntiVMBios | Registry::Query Registry Key (C0036.005) | -- |
| hides_recyclebin_icon | HidesRecycleBinIcon | Registry (C0036) | -- |
| antiav_detectreg | AntiAVDetectReg | Registry::Query Registry Key (C0036.005) | -- |
| browser_security | BrowserSecurity | Registry::Set Registry Value (C0036.001) | -- |
| banker_geodo | Geodo | Registry::Set Registry Value (C0036.001) | -- |
| antiav_srp | AntiAVSRP | Registry::Set Registry Value (C0036.001) | -- |
| antivm_parallels_keys | ParallelsDetectKeys | Registry::Query Registry Key (C0036.005) | -- |
| disables_startmenu_search | DisablesStartMenuSearch | Registry (C0036) | -- |
| office_security | OfficeSecurity | Registry (C0036) | -- |
| tampers_etw | TampersETW | Registry (C0036) | -- |
| persistence_ifeo | PersistenceIFEO | Registry (C0036) | -- |
| persistence_ifeo | PersistenceSilentProcessExit | Registry (C0036) | -- |
| persistence_shim | PersistenceShimDatabase | Registry (C0036) | -- |
| disables_app | DisablesAppLaunch | Registry (C0036) | -- |
| disables_backups | DisablesBackups | Registry (C0036) | -- |
| disables_appv_virtualization | DisablesAppVirtualiztion | Registry (C0036) | -- |
| disables_browserwarn | DisablesBrowserWarn | Registry (C0036) | -- |
| creates_largekey | CreatesLargeKey | Registry (C0036) | NtSetValueKey, RegSetValueExA RegSetValueExW |
| remote_desktop | RDPTCPKey | Registry (C0036) | -- |
| ransomware_medusalocker | MedusaLockerRegkeys | Registry (C0036) | -- |
| antivm_generic_cpu | AntiVMCPU | Registry::Query Registry Key (C0036.005) | filter_apinames = set |
| disables_app_autotermination | DisablesAutomaticAppTermination | Registry (C0036) | -- |
| disables_restore_default_state | DisablesRestoreDefaultState | Registry (C0036) | -- |
| disables_context_menus | DisablesContextMenus | Registry (C0036) | -- |
| ransomware_nemty | NemtyRegkeys | Registry (C0036) | -- |
| disables_cpl_display | DisablesCPLDisplay | Registry (C0036) | -- |
| antivm_generic_diskreg | AntiVMDiskReg | Registry::Query Registry Key (C0036.005) | -- |
| modifies_oem | ModifiesOEMInformation | Registry (C0036) | -- |
| forces_mappeddrives_uac | MappedDrivesUAC | Registry (C0036) | -- |
| rat_limerat | LimeRATRegkeys | Registry (C0036) | -- |
| persistence_remotedesktop | PersistenceRDPRegistry | Registry (C0036) | -- |
| prevents_safeboot | PreventsSafeboot | Registry (C0036) | -- |
| removes_sec_maintain_icon | RemovesSecurityAndMaintenanceIcon | Registry (C0036) | -- |
| creates_nullvalue | CreatesNullValue | Registry (C0036) | NtSetValueKey, NtCreateKey |
| antianalysis_detectreg | AntiAnalysisDetectReg | Registry::Open Registry Key (C0036.003) | -- |
| disables_notificationcenter | DisablesNotificationCenter | Registry (C0036) | -- |
| trojan_ursnif | UrsnifBehavior | Registry (C0036) | -- |
| packer_armadillo_regkey | ArmadilloRegKey | Registry (C0036) | -- |
| browser_startpage | browser_startpage | Registry::Set Registry Value (C0036.001) | -- |
| tampers_powershell_logging | TampersPowerShellLogging | Registry (C0036) | -- |
| credential_access | EnablesWDigest | Registry (C0036) | -- |
| disables_run_command | DisableRunCommand | Registry (C0036) | -- |
| backdoor_ketrican_regkeys | KetricanRegkeys | Registry::Query Registry Key (C0036.005) | -- |
| removes_networking_icon | RemovesNetworkingIcon | Registry (C0036) | -- |
| modifies_certs | ModifiesCerts | Registry (C0036) | -- |
| removes_username_startmenu | RemovesUsernameStartMenu | Registry (C0036) | -- |
| disables_wer | DisablesWER | Registry (C0036) | -- |
Registry::Query Registry Key
SHA256: 1e0215f67fb7b02bc44f33bf6a5b884c3061cbeb38e0150b559635458951fa53 Location: 0x408723push eax ; phkResult: stores pointer to handle containing open registry key push 0x1 ; samDesired: Desired access rights for opened key. 0x1 is KEY_QUERY_VALUE, which is required to query the value of the sought registry key push 0x0 ; ulOptions: Optional key set to 0, so no options passed to registry key push ecx ; lpSubKey: Optional parameter indicating a subkey to read from push edx ; handle to open registry key or name of registry key to open call dword ptr [->ADVAPI32.DLL::RegOpenKeyExA] ; Windows API call which opens registry key for the query
[1] capa v4.0, analyzed at MITRE on 10/12/2022