Some malware will store the executable and all configuration encrypted on the disk and will only decrypt in memory with a key downloaded from the internet.
Ofcourse you can still defeat this if you dump the memory or reverse engineer the process to get the key yourself. Makes it a bit harder but still not impossible.
Unless the disk has some way of checking the hash sum of its own file structure before execution, additional debug, logging scripts can be added which load at boot time and record the entire process. It’s a cat and mouse game.
Ofcourse you can still defeat this if you dump the memory or reverse engineer the process to get the key yourself. Makes it a bit harder but still not impossible.