Not so long ago was a post in which it is revealed that, some advanced malware can detect a virtual environment such as a sandbox to avoid detection and analysis. Due to the fact that, some threats can also detect monitoring tools used for malware analysis, these malware will not run to seem harmless. It was created a quick proof of concept (POC), to demonstrate the defensive tactics. Some malware use a mutex or registry key (a previous version of Locky).
With the proof of concept and function of creating fake registry keys you can find in Thomas Roccia’s post here. He provides evidence in detail the concept, once again confirming that malware are becoming advanced and more difficult to analyze.
