ID	E1082
Objective(s)	Discovery
Related ATT&CK Techniques	System Information Discovery (T1082)
Version	2.0
Created	2 August 2022
Last Modified	13 September 2023

System Information Discovery

Malware may attempt to get detailed information about the system.

See ATT&CK: System Information Discovery (T1082).

Methods

Name	ID	Description
Generate Windows Exception	E1082.m01	Malware may trigger an exception as a way of gathering system details.

Use in Malware

Name	Date	Method	Description
TrickBot	2016	--	The malware can collect information about the computer, resources, services, installed programs, firmware, and operating system versions. [7]
WebCobra	2018	--	Malware learns about the system so it can drop compatible miner software. [8]
Ursnif	2016	--	Malware uses Window's command prompt commands to gather system info, task list, installed drivers, and installed programs. [1]
BlackEnergy	2007	--	Malware uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor. [2]
DarkComet	2008	--	Malware can collect information about the computer, resources, and operating system version. [3]
Emotet	2018	--	Emotet collects information related to OS, processes, and sometimes mail client information and sends it to C2. [4]
Stuxnet	2010	--	Malware gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the network to spread itself. [5]
Stuxnet	2010	--	Stuxnet checks OS version. [5]
CHOPSTICK	2015	--	CHOPSTICK collects information from the host including Windows version, CPU architecture, and UAC settings. [6]
CryptoLocker	2013	--	The malware queries environment variables. [9]
Gamut	2014	--	The malware queries environment variables. [9]
GoBotKR	2019	--	GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software and queries environment variables. [9] [10]
Hupigon	2013	--	Hupigon queries environment variables. [9]
Kovter	2016	--	Kovter gets disk information. [9]
Mebromi	2011	--	Mebromi checks OS version. [9]
Redhip	2011	--	Redhip checks the OS version. [9]
Rombertik	2015	--	Rombertik gets the disk size. [9]
Shamoon	2012	--	Shamoon gets the hostname. [9]
UP007	2016	--	The malware queries environment variables. [9]

Detection

Tool: capa	Mapping	APIs
query environment variable	System Information Discovery (E1082)	kernel32.GetEnvironmentVariable, kernel32.GetEnvironmentStrings, kernel32.ExpandEnvironmentStrings, msvcr90.getenv, msvcrt.getenv, System.Environment::GetEnvironmentVariable, System.Environment::GetEnvironmentVariables, System.Environment::ExpandEnvironmentVariables
get disk information	System Information Discovery (E1082)	kernel32.GetDriveType, kernel32.GetLogicalDrives, kernel32.GetVolumeInformation, kernel32.GetVolumeNameForVolumeMountPoint, kernel32.GetVolumePathNamesForVolumeName, kernel32.GetLogicalDriveStrings, kernel32.QueryDosDevice
get disk size	System Information Discovery (E1082)	kernel32.GetDiskFreeSpace, kernel32.GetDiskFreeSpaceEx, DeviceIoControl
check OS version	System Information Discovery (E1082)
get hostname	System Information Discovery (E1082)	kernel32.GetComputerName, kernel32.GetComputerNameEx, GetComputerObjectName, ws2_32.gethostname, gethostname