ID	C0036
Objective(s)	Operating System
Related ATT&CK Techniques	None
Version	2.1
Created	4 December 2020
Last Modified	13 September 2023

Registry

Malware modifies the registry.

Methods

Name	ID	Description
Create Registry Key	C0036.004	Malware creates a registry key.
Delete Registry Key	C0036.002	Malware deletes a registry key.
Delete Registry Value	C0036.007	Malware deletes a registry value.
Open Registry Key	C0036.003	Malware opens a registry key.
Query Registry Key	C0036.005	Malware queries a registry key.
Query Registry Value	C0036.006	Malware queries a registry value.
Set Registry Value	C0036.001	Malware sets a registry value.

Use in Malware

Name	Date	Method	Description
BlackEnergy	2007	C0036.005	BlackEnergy queries or enumerates a registry key. [1]
BlackEnergy	2007	C0036.006	BlackEnergy queries or enumerates a registry value. [1]
Dark Comet	2008	C0036.001	Dark Comet sets registry values. [1]
Dark Comet	2008	C0036.002	Dark Comet deletes registry keys. [1]
Dark Comet	2008	C0036.005	Dark Comet queries or enumerates registry keys. [1]
Dark Comet	2008	C0036.006	Dark Comet queries or enumerates registry values. [1]
Dark Comet	2008	C0036.007	Dark Comet deletes registry values. [1]
DNSChanger	2011	C0036.001	DNSChanger sets registry keys. [1]
DNSChanger	2011	C0036.006	DNSChanger queries or enumerates registry values. [1]
Gamut	2014	C0036.001	Gamut sets registry values. [1]
Gamut	2014	C0036.002	Gamut deletes registry keys. [1]
Gamut	2014	C0036.005	Gamut queries or enumerates registry keys. [1]
Gamut	2014	C0036.006	Gamut queries or enumerates registry values. [1]
Gamut	2014	C0036.007	Gamut deletes registry values. [1]
GoBotKR	2019	C0036.006	GoBotKR queries or enumerates registry values. [1]
Hupigon	2013	C0036.001	Hupigon sets registry values. [1]
Hupigon	2013	C0036.002	Hupigon deletes registry keys. [1]
Hupigon	2013	C0036.005	Hupigon queries or enumerates registry keys. [1]
Hupigon	2013	C0036.006	Hupigon queries or enumerates registry values. [1]
Hupigon	2013	C0036.007	Hupigon deletes registry values. [1]
Kovter	2016	C0036.004	Kovter creates or opens registry keys. [1]
Kovter	2016	C0036.006	Kovter queries or enumerates registry values. [1]
Locky Bart	2017	C0036.001	Locky Bart sets registry values. [1]
Poison Ivy	2005	C0036.006	Poison Ivy queries or enumerates registry values. [1]
Redhip	2011	C0036.001	Redhip set registry values. [1]
Redhip	2011	C0036.002	Redhip deletes registry keys. [1]
Redhip	2011	C0036.006	Redhip queries or enumerates registry values. [1]
Rombertik	2015	C0036.001	Rombertik sets registry values. [1]
Rombertik	2015	C0036.002	Rombertik deletes registry keys. [1]
Rombertik	2015	C0036.006	Rombertik queries or enumerates registry values. [1]
Shamoon	2012	C0036.006	Shamoon queries or enumerates registry values. [1]
Shamoon	2012	C0036.007	Shamoon deletes registry values. [1]
UP007	2016	C0036.001	UP007 sets registry values. [1]
UP007	2016	C0036.006	UP007 queries or enumerates registry values. [1]

Detection

Tool: capa	Mapping	APIs
set registry key via offline registry library	Registry::Set Registry Key (C0036.001)	ORSetValue, ORSaveHive
open registry key via offline registry library	Registry::Open Registry Key (C0036.003)	OROpenHive, OROpenKey
query or enumerate registry key	Registry::Query Registry Key (C0036.005)	advapi32.RegEnumKey, advapi32.RegEnumKeyEx, advapi32.RegQueryInfoKeyA, ZwQueryKey, ZwEnumerateKey, NtQueryKey, NtEnumerateKey, RtlCheckRegistryKey, SHEnumKeyEx, SHQueryInfoKey, SHRegEnumUSKey, SHRegQueryInfoUSKey, Microsoft.Win32.RegistryKey::GetSubKeyNames, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::OpenSubKey
query or enumerate registry value	Registry::Query Registry Value (C0036.006)	advapi32.RegGetValue, advapi32.RegEnumValue, advapi32.RegQueryValue, advapi32.RegQueryValueEx, advapi32.RegQueryMultipleValues, ZwQueryValueKey, ZwEnumerateValueKey, NtQueryValueKey, NtEnumerateValueKey, RtlQueryRegistryValues, SHGetValue, SHEnumValue, SHRegGetInt, SHRegGetPath, SHRegGetValue, SHQueryValueEx, SHRegGetUSValue, SHOpenRegStream, SHRegEnumUSValue, SHOpenRegStream2, SHRegQueryUSValue, SHRegGetBoolUSValue, SHRegGetValueFromHKCUHKLM, SHRegGetBoolValueFromHKCUHKLM, Microsoft.Win32.RegistryKey::GetValue, Microsoft.Win32.RegistryKey::GetValueKind, Microsoft.Win32.RegistryKey::GetValueNames, Microsoft.Win32.Registry::GetValue
query registry key via offline registry library	Registry::Query Registry Value (C0036.006)	ORGetValue
create registry key via offline registry library	Registry::Create Registry Key (C0036.004)	ORCreateHive, ORCreateKey
set registry value	Registry::Set Registry Key (C0036.001)	advapi32.RegSetValue, advapi32.RegSetValueEx, advapi32.RegSetKeyValue, ZwSetValueKey, NtSetValueKey, RtlWriteRegistryValue, SHSetValue, SHRegSetPath, SHRegSetValue, SHRegSetUSValue, SHRegWriteUSValue, Microsoft.Win32.RegistryKey::SetValue, Microsoft.Win32.Registry::SetValue
delete registry key	Registry::Delete Registry Key (C0036.002)	advapi32.RegDeleteKey, advapi32.RegDeleteTree, advapi32.RegDeleteKeyEx, advapi32.RegDeleteKeyTransacted, ZwDeleteKey, NtDeleteKey, SHDeleteKey, SHDeleteEmptyKey, SHRegDeleteEmptyUSKey, Microsoft.Win32.RegistryKey::DeleteSubKey, Microsoft.Win32.RegistryKey::DeleteSubKeyTree
delete registry value	Registry::Delete Registry Value (C0036.007)	advapi32.RegDeleteValue, advapi32.RegDeleteKeyValue, ZwDeleteValueKey, NtDeleteValueKey, RtlDeleteRegistryValue, SHDeleteValue, SHRegDeleteUSValue, Microsoft.Win32.RegistryKey::DeleteValue
create or open registry key	Registry::Create Registry Key (C0036.004)	advapi32.RegOpenKey, advapi32.RegOpenKeyEx, advapi32.RegCreateKey, advapi32.RegCreateKeyEx, advapi32.RegOpenCurrentUser, advapi32.RegOpenKeyTransacted, advapi32.RegOpenUserClassesRoot, advapi32.RegCreateKeyTransacted, ZwOpenKey, ZwOpenKeyEx, ZwCreateKey, ZwOpenKeyTransacted, ZwOpenKeyTransactedEx, ZwCreateKeyTransacted, NtOpenKey, NtCreateKey, SHRegOpenUSKey, SHRegCreateUSKey, RtlCreateRegistryKey, Microsoft.Win32.RegistryKey::OpenSubKey, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::CreateSubKey
create or open registry key	Registry::Open Registry Key (C0036.003)	advapi32.RegOpenKey, advapi32.RegOpenKeyEx, advapi32.RegCreateKey, advapi32.RegCreateKeyEx, advapi32.RegOpenCurrentUser, advapi32.RegOpenKeyTransacted, advapi32.RegOpenUserClassesRoot, advapi32.RegCreateKeyTransacted, ZwOpenKey, ZwOpenKeyEx, ZwCreateKey, ZwOpenKeyTransacted, ZwOpenKeyTransactedEx, ZwCreateKeyTransacted, NtOpenKey, NtCreateKey, SHRegOpenUSKey, SHRegCreateUSKey, RtlCreateRegistryKey, Microsoft.Win32.RegistryKey::OpenSubKey, Microsoft.Win32.RegistryKey::OpenBaseKey, Microsoft.Win32.RegistryKey::OpenRemoteBaseKey, Microsoft.Win32.RegistryKey::CreateSubKey

References

[1] capa v4.0, analyzed at MITRE on 10/12/2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

registry.md

registry.md

Registry

Methods

Use in Malware

Detection

References

Files

registry.md

Latest commit

History

registry.md

File metadata and controls

Registry

Methods

Use in Malware

Detection

References