Sounds worth trying, but I am confident that if it works it won't take the bad guys long to figure out a new approach to get around it.
This isn't a new war, it's been going on for several years.
Researchers have been using honeypots for quite some time, trying to capture malware and figure out its behavior, including tracing its interaction with the C&C servers that some use. For that they favor using virtual machines, that allow them to observe the malware. It's been so effective, the malware authors have already reacted to it by adding sophisticated "blue pill detection" routines, to see if they are actually running in a VM. If they successfully detect the VM, they don't activate. These started showing up a few years ago
So it turns into an escalating tech war. The hackers detect the blue pill. The blue pill gets upgraded, the hackers figure out how to detect it again, the pill gets updated again, etc etc.