systeminfo.exe

  • File Path: C:\WINDOWS\system32\systeminfo.exe
  • Description: Displays system information

Hashes

Type Hash
MD5 852328E9E512BF6AC3B48F39BA14C7A4
SHA1 8B35355B18AFD3142933E7665A32F922A5FBAA5C
SHA256 104E036A6DAE7A24E70E9EDF489702A33D67031CC09ED8265854A221764D8EE3
SHA384 F9B128E736E92D3FBA9B302DD77D409FD437FECB04AC23DFA0F4C5C67373A2EDEABC9C172F73ED4D85B111CA355B9157
SHA512 37CB9883DFEC17A3B86825405C010ED170D397C3D772F9498378FC6294DCEB735078D9AB213078801DE9BE738AF1B63DC9C8C4ECD713F6E49F0F5C4621FDF8E0
SSDEEP 1536:36jVQAY2jZo6T4hJ1WK4BL22U+1NgwdKM7mvqEJGY57WV9nY3JydDwjYJxh1:36RY2jG6GKtb1N4bvqEJlZ6d+YxH
IMP 62D18A0582DD061D47BD5429DE1570A2
PESHA1 9B049BA8698095C59928BE0CDD6A17FE9D0F9EF8
PE256 EDFBD2BDD7E8859BF4DBF1D8101E49D3675B51F3FFA483BE0D826DA5982F0940

Runtime Data

Usage (stdout):


SYSTEMINFO [/S system [/U username [/P [password]]]] [/FO format] [/NH]

Description:
    This tool displays operating system configuration information for
    a local or remote machine, including service pack levels.

Parameter List:
    /S      system           Specifies the remote system to connect to.

    /U      [domain\]user    Specifies the user context under which
                             the command should execute.

    /P      [password]       Specifies the password for the given
                             user context. Prompts for input if omitted.

    /FO     format           Specifies the format in which the output
                             is to be displayed.
                             Valid values: "TABLE", "LIST", "CSV".

    /NH                      Specifies that the "Column Header" should
                             not be displayed in the output.
                             Valid only for "TABLE" and "CSV" formats.

    /?                       Displays this help message.

Examples:
    SYSTEMINFO
    SYSTEMINFO /?
    SYSTEMINFO /S system
    SYSTEMINFO /S system /U user
    SYSTEMINFO /S system /U domain\user /P password /FO TABLE
    SYSTEMINFO /S system /FO LIST
    SYSTEMINFO /S system /FO CSV /NH

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "SYSTEMINFO /?" for usage.

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\systeminfo.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sysinfo.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/104e036a6dae7a24e70e9edf489702a33d67031cc09ed8265854a221764d8ee3/detection

Possible Misuse

The following table contains possible examples of systeminfo.exe being misused. While systeminfo.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - 'systeminfo' DRL 1.0
sigma image_load_wmi_module_load.yml - '\systeminfo.exe' DRL 1.0
sigma proc_creation_win_multiple_suspicious_cli.yml - systeminfo.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml description: Detects the use of stordiag.exe to execute schtasks.exe systeminfo.exe and fltmc.exe DRL 1.0
sigma proc_creation_win_stordiag_execution.yml - '\systeminfo.exe' DRL 1.0
sigma proc_creation_win_susp_commands_recon_activity.yml - systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml title: Suspicious Execution of Systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml description: Use of systeminfo to get information DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml - https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/systeminfo DRL 1.0
sigma proc_creation_win_susp_systeminfo.yml Image\|endswith: \systeminfo.exe DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\systeminfo.exe' DRL 1.0
LOLBAS Stordiag.yml Description: Once executed, Stordiag.exe will execute schtasks.exe systeminfo.exe and fltmc.exe - if stordiag.exe is copied to a folder and an arbitrary executable is renamed to one of these names, stordiag.exe will execute it.  
LOLBAS Stordiag.yml - IOC: systeminfo.exe, fltmc.exe or schtasks.exe being executed outside of their normal path of c:\windows\system32\ or c:\windows\syswow64\  
malware-ioc backdoordiplomacy * systeminfo.oicp.net``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc backdoordiplomacy * systeminfo.myftp.name``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc backdoordiplomacy * systeminfo.cleansite.info``{:.highlight .language-cmhg} © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from [System Information Discovery](https://attack.mitre.org/techniques/T1082) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.\n\n### Windows\n\nExample commands and utilities that obtain this information include <code>ver</code>, [Systeminfo](https://attack.mitre.org/software/S0096), and <code>dir</code> within [cmd](https://attack.mitre.org/software/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the <code>systemsetup</code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler</code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\n### AWS\n\nIn Amazon Web Services (AWS), the Application Discovery Service may be used by an adversary to identify servers, virtual machines, software, and software dependencies running.(Citation: Amazon System Discovery)\n\n### GCP\n\nOn Google Cloud Platform (GCP) <code>GET /v1beta1/{parent=organizations/*}/assets</code> or <code>POST /v1beta1/{parent=organizations/*}/assets:runDiscovery</code> may be used to list an organizations cloud assets, or perform asset discovery on a cloud environment.(Citation: Google Command Center Dashboard)\n\n### Azure\n\nIn Azure, the API request <code>GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2019-03-01</code> may be used to retrieve information about the model or instance view of a virtual machine.(Citation: Microsoft Virutal Machine API)", © ESET 2014-2018
malware-ioc misp_invisimole.json "description": "Adversaries may check for the presence of a virtual machine environment (VME) or sandbox to avoid potential detection of tools and activities. If the adversary detects a VME, they may alter their malware to conceal the core functions of the implant or disengage from the victim. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information from learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.\n\nAdversaries may use several methods including [Security Software Discovery](https://attack.mitre.org/techniques/T1063) to accomplish [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) by searching for security monitoring tools (e.g., Sysinternals, Wireshark, etc.) to help determine if it is an analysis environment. Additional methods include use of sleep timers or loops within malware code to avoid operating within a temporary sandboxes. (Citation: Unit 42 Pirpi July 2015)\n\n###Virtual Machine Environment Artifacts Discovery###\n\nAdversaries may use utilities such as [Windows Management Instrumentation](https://attack.mitre.org/techniques/T1047), [PowerShell](https://attack.mitre.org/techniques/T1086), [Systeminfo](https://attack.mitre.org/software/S0096), and the [Query Registry](https://attack.mitre.org/techniques/T1012) to obtain system information and search for VME artifacts. Adversaries may search for VME artifacts in memory, processes, file system, and/or the Registry. Adversaries may use [Scripting](https://attack.mitre.org/techniques/T1064) to combine these checks into one script and then have the program exit if it determines the system to be a virtual environment. Also, in applications like VMWare, adversaries can use a special I/O port to send commands and receive output. Adversaries may also check the drive size. For example, this can be done using the Win32 DeviceIOControl function. \n\nExample VME Artifacts in the Registry(Citation: McAfee Virtual Jan 2017)\n\n* <code>HKLM\\SOFTWARE\\Oracle\\VirtualBox Guest Additions</code>\n* <code>HKLM\\HARDWARE\\Description\\System\\”SystemBiosVersion”;”VMWARE”</code>\n* <code>HKLM\\HARDWARE\\ACPI\\DSDT\\BOX_</code>\n\nExample VME files and DLLs on the system(Citation: McAfee Virtual Jan 2017)\n\n* <code>WINDOWS\\system32\\drivers\\vmmouse.sys</code> \n* <code>WINDOWS\\system32\\vboxhook.dll</code>\n* <code>Windows\\system32\\vboxdisp.dll</code>\n\nCommon checks may enumerate services running that are unique to these applications, installed programs on the system, manufacturer/product fields for strings relating to virtual machine applications, and VME-specific hardware/processor instructions.(Citation: McAfee Virtual Jan 2017)\n\n###User Activity Discovery###\n\nAdversaries may search for user activity on the host (e.g., browser history, cache, bookmarks, number of files in the home directories, etc.) for reassurance of an authentic environment. They might detect this type of information via user interaction and digital signatures. They may have malware check the speed and frequency of mouse clicks to determine if it’s a sandboxed environment.(Citation: Sans Virtual Jan 2016) Other methods may rely on specific user interaction with the system before the malicious code is activated. Examples include waiting for a document to close before activating a macro (Citation: Unit 42 Sofacy Nov 2018) and waiting for a user to double click on an embedded image to activate (Citation: FireEye FIN7 April 2017).\n\n###Virtual Hardware Fingerprinting Discovery###\n\nAdversaries may check the fan and temperature of the system to gather evidence that can be indicative a virtual environment. An adversary may perform a CPU check using a WMI query <code>$q = “Select * from Win32_Fan” Get-WmiObject -Query $q</code>. If the results of the WMI query return more than zero elements, this might tell them that the machine is a physical one. (Citation: Unit 42 OilRig Sept 2018)", © ESET 2014-2018
malware-ioc oceanlotus-macOS.misp.event.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n### Windows\n\nExample commands and utilities that obtain this information include <code>ver<\/code>, [Systeminfo](https:\/\/attack.mitre.org\/software\/S0096), and <code>dir<\/code> within [cmd](https:\/\/attack.mitre.org\/software\/S0106) for identifying information based on present files and directories.\n\n### Mac\n\nOn Mac, the <code>systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.", © ESET 2014-2018
malware-ioc oceanlotus-rtf_ocx_campaigns.misp.event.json "description": "An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.\n\n===Windows===\n\nExample commands and utilities that obtain this information include <code>ver<\/code>, Systeminfo, and <code>dir<\/code> within cmd for identifying information based on present files and directories.\n\n===Mac===\n\nOn Mac, the <code>systemsetup<\/code> command gives a detailed breakdown of the system, but it requires administrative privileges. Additionally, the <code>system_profiler<\/code> gives a very detailed breakdown of configurations, firewall rules, mounted volumes, hardware, and many other things without needing elevated permissions.\n\nDetection: System and network discovery techniques normally occur throughout an operation as an adversary learns the environment. Data and events should not be viewed in isolation, but as part of a chain of behavior that could lead to other activities based on the information obtained.\n\nMonitor processes and command-line arguments for actions that could be taken to gather system and network information. Remote access tools with built-in features may interact directly with the Windows API to gather information. Information may also be acquired through Windows system management tools such as Windows Management Instrumentation and PowerShell.\n\nPlatforms: Linux, macOS, Windows\n\nData Sources: Process command-line parameters, Process monitoring\n\nPermissions Required: User", © ESET 2014-2018
atomic-red-team T1082.md Tools such as Systeminfo can be used to gather detailed system information. A breakdown of system data can also be gathered through the macOS systemsetup command, but it requires administrative privileges. MIT License. © 2018 Red Canary
atomic-red-team T1082.md systeminfo MIT License. © 2018 Red Canary
signature-base apt_casper.yar $a1 = “& SYSTEMINFO) ELSE EXIT” CC BY-NC 4.0
signature-base apt_golddragon.yar $s2 = “/c systeminfo » %s” fullword ascii CC BY-NC 4.0
signature-base apt_golddragon.yar $s1 = “cmd.exe /c systeminfo “ fullword ascii CC BY-NC 4.0
signature-base apt_keylogger_cn.yar $s1 = “\cmd.exe /c "systeminfo.exe » “ fullword ascii CC BY-NC 4.0
signature-base apt_op_honeybee.yar $s2 = “cmd /c systeminfo >%s” fullword ascii CC BY-NC 4.0
signature-base apt_sednit_delphidownloader.yar $s5 = “53595354454D494E464F2026205441534B4C495354” ascii /* hex encoded string ‘SYSTEMINFO & TASKLIST’ */ CC BY-NC 4.0
signature-base gen_crimson_rat.yar $x3 = “cmd.exe/c systeminfo » 1.txt” fullword wide CC BY-NC 4.0
signature-base gen_rats_malwareconfig.yar $a5 = “SystemInfo” CC BY-NC 4.0
signature-base gen_recon_indicators.yar $s6 = “systeminfo” ascii CC BY-NC 4.0
signature-base gen_suspicious_strings.yar $ = “systeminfo” CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


systeminfo

Displays detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties (such as RAM, disk space, and network cards).

Syntax

systeminfo [/s <computer> [/u <domain>\<username> [/p <password>]]] [/fo {TABLE | LIST | CSV}] [/nh]

Parameters

Parameter Description
/s <computer> Specifies the name or IP address of a remote computer (do not use backslashes). The default is the local computer.
/u <domain>\<username> Runs the command with the account permissions of the specified user account. If /u is not specified, this command uses the permissions of the user who is currently logged on to the computer that is issuing the command.
/p <password> Specifies the password of the user account that is specified in the /u parameter.
/fo <format> Specifies the output format with one of the following values:<ul><li>TABLE - Displays output in a table.</li><li>LIST - Displays output in a list.</li><li>CSV - Displays output in comma-separated values (.csv) format.</li></ul>
/nh Suppresses column headers in the output. Valid when the /fo parameter is set to TABLE or CSV.
/? Displays help at the command prompt.

Examples

To view configuration information for a computer named Srvmain, type:

systeminfo /s srvmain

To remotely view configuration information for a computer named Srvmain2 that is located on the Maindom domain, type:

systeminfo /s srvmain2 /u maindom\hiropln

To remotely view configuration information (in list format) for a computer named Srvmain2 that is located on the Maindom domain, type:

systeminfo /s srvmain2 /u maindom\hiropln /p p@ssW23 /fo list

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.