T1497.001 System Checks in MITRE ATT&CK Explained

Sıla Özeren Hacıoğlu | 5 MIN READ

| February 25, 2026

What Is T1497.001 System Checks in MITRE ATT&CK?

T1497.001 System Checks is a sub technique of Virtualization and Sandbox Evasion (T1497) in the MITRE ATT&CK framework. It describes how malware inspects its execution environment to identify whether it is running on a real endpoint or within a virtual machine or sandbox.

Rather than executing malicious logic immediately, malware performing system checks collects environmental indicators such as hardware attributes, operating system configuration, registry artifacts, network properties, and system naming conventions. These signals help adversaries determine how closely the environment resembles a legitimate user workstation.

When indicators associated with virtualization or malware analysis are detected, the malware may alter its behavior to evade detection. Common responses include delaying execution, suppressing payload delivery, terminating the process, or remaining dormant until a more realistic environment is identified. This technique enables adversaries to bypass automated analysis systems and reduce the likelihood of early detection.

To read about other sub-techniques of the T1497 Virtualization and Sandbox Evasion technique, you can visit the related hub blog.

Adversary Use of T1497.001 System Checks

Malware may perform a variety of system attribute probes to assess whether it’s executing in a real physical host versus an analysis environment.

Hardware and Configuration Indicators

Disk, BIOS, or firmware strings linked to VM vendors (for example, “VBOX” or “VMware”)
Unusually low CPU core counts or constrained memory and storage
Manufacturer or product fields explicitly labeled as “virtual”
Absence of expected physical components such as audio devices or hardware sensors
Direct interaction with hypervisor-specific instructions or I/O interfaces

Network & MAC Identifiers

Network adapter names and MAC prefixes mapped to virtualization platforms.

MAC Prefix	Associated Platform / Vendor
00:05:69	VMware, Inc.
00:0C:29	VMware, Inc.
00:1C:14	VMware, Inc.
00:50:56	VMware, Inc.
08:00:27	Oracle Corporation (VirtualBox)
0A:00:27	Oracle Corporation (VirtualBox)

These prefixes are actively matched by malware to determine whether the host is a VM or a sandbox environment, influencing the decision to proceed with malicious execution. While these prefixes aren't definitive identifiers (since MAC addresses can be manually altered), they are common enough to be used as reliable heuristics for identifying virtual environments in both malware code and defensive analysis tools.

System Information Artifacts

Hostnames/usernames commonly used in sandboxes (“sandbox”, “malware”, etc.)
Registry keys, installed services, and processes specific to VM software
Presence of known sandbox tooling or drivers

Environmental / Execution Context

Lack of typical user activity or normal telemetry
File locations or filenames indicative of analysis (.e.g “sample”, “hash”, etc.)

Technically, these checks can leverage Windows Management Instrumentation (WMI), registry queries, OS-level system information discovery, CPU instruction inspection (e.g., via CPUID to detect hypervisor presence), and enumeration of running services or hardware devices. The malware may also scan the filesystem or registry for virtualization-specific identifiers.

In effect, T1497.001 serves as an "environment gatekeeper". Before performing malicious actions such as installing backdoors, dropping payloads, or initiating C2 communication, the malware ensures it's running on a legitimate target rather than in an analyst-controlled sandbox or virtual machine, thus evading detection and impeding analysis efforts.

Procedure Examples Used by Adversaries in Red Report 2026

After two consecutive years in which it did not appear in the Top 10 (2024 and 2025), the Virtualization and Sandbox Evasion technique reemerged in Red Report 2026 as one of the most commonly used techniques.

A perfect example is from an analysis done in June 2025, where Blitz malware was identified to be checking the system configuration, specifically the number of processors and screen resolution, to determine whether it's operating in a VM or sandbox [1]. Many virtual environments are configured with fewer resources, such as limited processors and low screen resolutions, which the malware uses as indicators of sandbox environments.

Processor Count: Checks if the number of processors is fewer than four.
Screen Resolution: Checks for specific low screen resolution values (e.g., 1024x768, 800x600 or 640x480).
Sandbox Driver Check: Checks for the existence of a known sandbox driver: \\?\\A3E64E55_fl (associated with ANY.RUN).
Registry Key/Value Checks: Checks for the existence of known sandbox and virtual environment registry values/keys.

# The malware checks the number of processors:
if cpu_count < 4 then exit

# It verifies the screen resolution
if screen_resolution in [1024x768, 800x600, 640x480] then exit

Procedure Examples Used by Adversaries in Red Report 2023

In March 2022, a new malware called Bumblebee started to perform many phishing campaigns. The analysis of this malware shows that it searches for a WMware registry key that might indicate a virtual environment [2].

IpSubKey = L"SOFTWARE\\VMware, Inc.\\VMware Tools".
VO = 0i64;
while ( 1 )
{
memset(Buffer, 0, sizeof (Buffer));
v1 = *&Buffer(8 * ve - 8];
sprintf_s(Buffer, Ox100ui64, L"Checking reg key % ", V1);
hKey = 0i64;
if ( !RegOpenKeyExW(HKEY_LOCAL_MACHINE, v1, 0, 0x20019u, ShKey) )
break;
if ( ++ve >= 1 )
return 0i64;

In addition to the code above, the malware also attempts to search for particular VirtualBox files that might indicate a virtual environment:

pszFile [0] = L"System32\\drivers\\VBoxMouse.sys"
pszFile [1] = L"System32\\drivers\\BoxGuest.sys"
...
pszFile [14] = L"System32\\vboxservice.exe";
pszFile [15] = L"SystemB2\\vboxtray.exe";
pszFile [16] = L"System32\\VBoxControl.exe";

HavanaCrypt malware also has anti-virtualization techniques to avoid dynamic analysis when executed in a virtual machine. This malware checks for the services that are mainly used by virtual machines like VMware Tools and VMTools [3]:

private static readonly string[] C3554254475 = new string[]
{"VMTools","Vmhgfs","VMMEMCTL","Vmmouse","Vmrawdsk", "Vmusbmouse", "Vmvss", "Vmscsi", "Vmxnet", "vmx_svga","Vmware Tools", "Vmware Physical Disk Helper Service"};

In their attack campaign, targeting an energy organization in Ukraine, Unit42 used malware that checked the BIOS version for known virtual machine identifiers [4].

Beginning in Early May 2022, Cuba ransomware operators use the Domain Admin tool packing via the Anti-VM features of Themida. When it gets executed on a Virtual Machine, it pops-up an alert message saying that "Sorry, this application cannot run under a Virtual Machine" [5].

Validate Your Defenses Against the Red Report 2026 Threats

References

[1] D. Reichel, “Blitz Malware: A Tale of Game Cheats and Code Repositories,” Unit 42, Jun. 06, 2025. Available: https://unit42.paloaltonetworks.com/blitz-malware-2025/.

[2] E. Salem, “The chronicles of Bumblebee: The Hook, the Bee, and the Trickbot connection,” Medium, Apr. 27, 2022. https://elis531989.medium.com/the-chronicles-of-bumblebee-the-hook-the-bee-and-the-trickbot-connection-686379311056 [Accessed: Dec. 29, 2022]

[3] S. Ozeren, “Emerging Cyber Threats of July 2022,” Aug. 08, 2022. https://www.picussecurity.com/resource/emerging-cyber-threats-of-july-2022 [Accessed: Dec. 29, 2022]

[4] R. Falcone, M. Harbison, and J. Grunzweig, “Threat Brief: Ongoing Russia and Ukraine Cyber Activity,” Unit 42, Jan. 20, 2022. https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/ [Accessed: Dec. 29, 2022]

[5] S. Ozeren, “CISA Alert AA22-335A: Cuba Ransomware Analysis, Simulation, TTPs & IOCs,” Dec. 08, 2022. https://www.picussecurity.com/resource/blog/cisa-alert-aa22-335a-cuba-ransomware-analysis-simulation-ttps-iocs [Accessed: Dec. 28, 2022]