System Information Discovery
April 3, 2025 · View on GitHub
| ID | E1082 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | System Information Discovery (T1082) |
| Version | 2.3 |
| Created | 2 August 2022 |
| Last Modified | 30 April 2024 |
System Information Discovery
Malware may attempt to get detailed information about the system. This can include details about the operating system, hardware configurations, installed software, system uptime, and other system-level details.
See ATT&CK: System Information Discovery (T1082).
Methods
| Name | ID | Description |
|---|---|---|
| Generate Windows Exception | E1082.m01 | Malware may trigger an exception as a way of gathering system details. |
| Enumerate Environment Variables | E1082.m02 | Malware may query environmental variables as a way of gathering system details. |
Use in Malware
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | -- | The malware can collect information about the computer, resources, services, installed programs, firmware, and operating system versions. [7] |
| WebCobra | 2018 | -- | Malware learns about the system so it can drop compatible miner software. [8] |
| Ursnif | 2016 | -- | Malware uses Window's command prompt commands to gather system info, task list, installed drivers, and installed programs. [1] |
| BlackEnergy | 2007 | -- | Malware uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor. [2] |
| DarkComet | 2008 | -- | Malware can collect information about the computer, resources, and operating system version. [3] |
| Emotet | 2018 | -- | Emotet collects information related to OS, processes, and sometimes mail client information and sends it to C2. [4] |
| Stuxnet | 2010 | -- | Malware gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the network to spread itself. [5] |
| Stuxnet | 2010 | -- | Stuxnet checks OS version. [5] |
| CHOPSTICK | 2015 | -- | CHOPSTICK collects information from the host including Windows version, CPU architecture, and UAC settings. [6] |
| CryptoLocker | 2013 | -- | The malware queries environment variables. [9] |
| Gamut | 2014 | -- | The malware queries environment variables. [9] |
| GoBotKR | 2019 | -- | GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software and queries environment variables. [9] [10] |
| Hupigon | 2013 | -- | Hupigon queries environment variables. [9] |
| Kovter | 2016 | -- | Kovter gets disk information. [9] |
| Mebromi | 2011 | -- | Mebromi checks OS version. [9] |
| Redhip | 2011 | -- | Redhip checks the OS version. [9] |
| Rombertik | 2015 | -- | Rombertik gets the disk size. [9] |
| Shamoon | 2012 | -- | Shamoon gets the hostname. [9] |
| UP007 | 2016 | -- | The malware queries environment variables. [9] |
| Snake | 2004 | -- | Snake gets the OS version, disk size, machine name, and geographic location [11] |
Detection
| Tool: capa | Mapping | APIs |
|---|---|---|
| query environment variable | System Information Discovery (E1082) | kernel32.GetEnvironmentVariable, kernel32.GetEnvironmentStrings, kernel32.ExpandEnvironmentStrings, msvcr90.getenv, msvcrt.getenv, System.Environment::GetEnvironmentVariable, System.Environment::GetEnvironmentVariables, System.Environment::ExpandEnvironmentVariables |
| get disk information | System Information Discovery (E1082) | kernel32.GetDriveType, kernel32.GetLogicalDrives, kernel32.GetVolumeInformation, kernel32.GetVolumeNameForVolumeMountPoint, kernel32.GetVolumePathNamesForVolumeName, kernel32.GetLogicalDriveStrings, kernel32.QueryDosDevice |
| get disk size | System Information Discovery (E1082) | kernel32.GetDiskFreeSpace, kernel32.GetDiskFreeSpaceEx |
| check OS version | System Information Discovery (E1082) | -- |
| get hostname | System Information Discovery (E1082) | kernel32.GetComputerName, kernel32.GetComputerNameEx, GetComputerObjectName, ws2_32.gethostname, gethostname |
| Tool: CAPE | Mapping | APIs |
|---|---|---|
| antivm_generic_disk | System Information Discovery (E1082) | DeviceIoControl, NtClose, NtCreateFile, NtDuplicateObject, NtOpenFile, NtDeviceIoControlFile |
| recon_systeminfo | System Information Discovery (E1082) | -- |
| recon_beacon | System Information Discovery (E1082) | HttpOpenRequestA, HttpSendRequestA |
| uses_adfind | System Information Discovery (E1082) | -- |
| antivm_generic_cpu | System Information Discovery (E1082) | -- |
| accesses_mailslot | System Information Discovery (E1082) | -- |
| accesses_netlogon_regkey | System Information Discovery (E1082) | -- |
| antivm_generic_bios | System Information Discovery (E1082) | -- |
| antivm_hyperv_keys | System Information Discovery (E1082) | -- |
| uses_windows_utilities_nltest | System Information Discovery (E1082) | -- |
| antivm_generic_scsi | System Information Discovery (E1082) | RegOpenKeyExW, RegQueryValueExA, RegQueryValueExW, RegOpenKeyExA |
| antivm_parallels_keys | System Information Discovery (E1082) | -- |
| antivm_generic_diskreg | System Information Discovery (E1082) | -- |
| antivm_generic_system | System Information Discovery (E1082) | -- |
| system_account_discovery_cmd | System Information Discovery (E1082) | -- |
| system_currently_loggedin_user_cmd | System Information Discovery (E1082) | -- |
| system_info_discovery_cmd | System Information Discovery (E1082) | -- |
| system_info_discovery_pwsh | System Information Discovery (E1082) | -- |
| system_network_discovery_cmd | System Information Discovery (E1082) | -- |
| system_network_discovery_pwsh | System Information Discovery (E1082) | -- |
| system_user_discovery_cmd | System Information Discovery (E1082) | -- |
| antivm_generic_services | System Information Discovery (E1082) | RegOpenKeyExW, RegEnumKeyExW, RegEnumKeyExA, RegOpenKeyExA |
| antivm_generic_disk_setupapi | System Information Discovery (E1082) | SetupDiGetClassDevsA, SetupDiGetClassDevsW |
| antisandbox_check_userdomain | System Information Discovery (E1082) | rtcEnvironBstr |
| browser_scanbox | System Information Discovery (E1082) | JsEval, COleScript_ParseScriptText, COleScript_Compile |
| recon_fingerprint | System Information Discovery (E1082) | -- |
E1082.m02 Snippet
System Information Discovery
SHA256: e4b36a1d4e70d988efa2ec27e5a639be5eb0880474f746851c13e56f007a8377 Location: 0x004017e9push eax ; push register to store return value onto the stack push u_ALLUSERSPROFILE_0041a9a4 ; push argument to function (name of the sought environment variable - in this case, ALLUSERSPROFILE) call dword ptr [->KERNEL32.DLL::GetEnvironmentVariableW] ; call function to get environment variable value
References
[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
[2] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[3] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[4] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
[5] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[6] https://web.archive.org/web/20210307034415/https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[7] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf
[8] https://www.mcafee.com/blogs/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[11] https://www.cybereason.com/blog/research/threat-analysis-report-snake-infostealer-malware