There are many variants of malware with implement persistence mechanisms. One of the most popular persistence mechanisms is a registry run key. Registry run keys are used to execute a program upon logon. When a malware variant infects a computer, they may also create a registry run key to ensure that the program is executed upon every login. Registry run keys can be found in four separate locations. The “Run” keys will maintain persistence, whereas the “RunOnce” keys will only execute upon the next login.
Four Registry Run Keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
(Microsoft, 2018)
If a computer is shut down during the infection, all relevant nonvolatile data will be lost. There has been an increase in fileless malware which makes memory analysis even more important. The presence of fileless malware threat vectors had increased by 396% from January 2018 – June 2019. (TrendMicro, 2019) It is possible to fail to capture the infection vector if the system is powered down prior to a memory capture.
When approaching a malware infection, it is best to start by eliminating any data transmissions. This can be done by removing the device from the network. The goal is to leave the system running while preventing the transmission of data. This provides analysts with the most amount of evidence, while still minimizing any data exfiltration.
References
Microsoft. (2018, May 30). Run and RunOnce Registry Keys. Retrieved from microsoft.com: https://docs.microsoft.com/en-us/windows/win32/setupapi/run-and-runonce-registry-keys
TrendMicro. (2019, July 29). Risks Under the Radar. Retrieved from TrendMicro: https://www.trendmicro.com/vinfo/us/security/news/security-technology/risks-under-the-radar-understanding-fileless-threats
-Brian