cmdl32.exe

  • File Path: C:\WINDOWS\system32\cmdl32.exe
  • Description: Microsoft Connection Manager Auto-Download

Hashes

Type Hash
MD5 14C82BE72A2ABB9928470524EE9CEBED
SHA1 7735FED29BCD595D568772EF04F5BA58DC32774D
SHA256 F3FD2609C152AC0471BA72D929A16BDB7DF888C92F7EF8F802664724628BD9C4
SHA384 BADAF2E64F4CB66A9252FCB41CD82834B5541A7429D4F00C6BE3BC7613E2FCAC1B831BC33E23C60257E075D2AC945F3A
SHA512 E06CB2CB5F013EDB4549B65D556001238631954447CA5B7D446F02178E40F4A776110EBD36F026EEBC4A7C42DAEB630742E6E04ABB4341076EE2433FB63EC834
SSDEEP 1536:thkzJjjxZWK6iy6Ovzevkp8Kd9M94tnI:thS6/8Kd9NI

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CMDL32.EXE.MUI
  • Product Name: Microsoft(R) Connection Manager
  • Company Name: Microsoft Corporation
  • File Version: 7.2.18362.1 (WinBuild.160101.0800)
  • Product Version: 7.2.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\cmdl32.exe 27
C:\Windows\system32\cmdl32.exe 38
C:\Windows\system32\cmdl32.exe 35

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cmdl32_lolbas.yml title: Suspicious Cmdl32 Execution DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml description: lolbas Cmdl32 is use to download a payload to evade antivirus DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml cmdl32: DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - Image\|endswith: '\cmdl32.exe' DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - OriginalFileName: CMDL32.EXE DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml condition: cmdl32 and options DRL 1.0
LOLBAS Cmdl32.yml Name: cmdl32.exe  
LOLBAS Cmdl32.yml - Command: cmdl32 /vpn /lan %cd%\config  
LOLBAS Cmdl32.yml - Path: C:\Windows\System32\cmdl32.exe  
LOLBAS Cmdl32.yml - Path: C:\Windows\SysWOW64\cmdl32.exe  
atomic-red-team T1105.md Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.