| ID | E1082 |
| Objective(s) | Discovery |
| Related ATT&CK Techniques | System Information Discovery (T1082) |
| Version | 2.0 |
| Created | 2 August 2022 |
| Last Modified | 21 November 2022 |
Malware may attempt to get detailed information about the system.
See ATT&CK: System Information Discovery (T1082).
| Name | ID | Description |
|---|---|---|
| Generate Windows Exception | E1082.m01 | Malware may trigger an exception as a way of gathering system details. |
| Name | Date | Method | Description |
|---|---|---|---|
| TrickBot | 2016 | -- | Trojan spyware program that has mainly been used for targeting banking sites. [7] |
| WebCobra | 2018 | -- | Learns about the system so it can drop compatible miner software. [8] |
| Ursnif | 2016 | -- | Uses windows command prompt commands to gather system info, task list, installed drivers, and installed programs [1] |
| BlackEnergy | 2007 | -- | Uses Systeminfo to gather OS version, system configuration, BIOS, the motherboard, and processor [ [2] |
| Emotet | 2018 | -- | Collects information related to OS, processes, and sometimes mail client information and sends it to c2 [4] |
| Stuxnet | 2010 | -- | Gathers information (OS version, workgroup status, computer name, domain/workgroup name, file name of infected project file) about each computer in the net to spread itself [5] |
| CHOPSTICK | 2015 | -- | CHOPSTICK collects information from the host including Windows version, CPU architecture, and UAC settings [6] |
| Dark Comet | 2008 | -- | Can collect information about the compter, resources, and operating system version [3] |
| CryptoLocker | 2013 | -- | Query environment variable (This capa rule had 1 match) [9] |
| Gamut | 2014 | -- | Query environment variable (This capa rule had 1 match) [9] |
| GoBotKR | 2019 | -- | GoBotKR uses wmic, systeminfo and ver commands to collect information about the system and the installed software. [10]query environment variable (This capa rule had 2 matches) [9] |
| Hupigon | 2013 | -- | Query environment variable (This capa rule had 1 match) [9] |
| Kovter | 2016 | -- | Get disk information (This capa rule had 1 match) [9] |
| Mebromi | 2011 | -- | Check OS version (This capa rule had 1 match) [9] |
| Redhip | 2011 | -- | Check OS version (This capa rule had 1 match) [9] |
| Rombertik | 2015 | -- | Get disk size (This capa rule had 1 match) [9] |
| Shamoon | 2012 | -- | Get hostname (This capa rule had 1 match) [9] |
| UP007 Malware Family | 2016 | -- | Query environment variable (This capa rule had 1 match) [9] |
[1] https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/PE_URSNIF.A2?_ga=2.131425807.1462021705.1559742358-1202584019.1549394279
[2] https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163408/BlackEnergy_Quedagh.pdf
[3] https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/
[4] https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf
[5] https://docs.broadcom.com/doc/security-response-w32-stuxnet-dossier-11-en
[6] https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf
[7] https://www.trendmicro.com/en_us/research/18/k/trickbot-shows-off-new-trick-password-grabber-module.html
[8] https://securingtomorrow.mcafee.com/other-blogs/mcafee-labs/webcobra-malware-uses-victims-computers-to-mine-cryptocurrency/
[9] capa v4.0, analyzed at MITRE on 10/12/2022
[10] https://www.welivesecurity.com/2019/07/08/south-korean-users-backdoor-torrents/
[11] https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf