cmdl32.exe

File Path: C:\Windows\SysWOW64\cmdl32.exe
Description: Microsoft Connection Manager Auto-Download

Hashes

Type	Hash
MD5	`5C354F6BA0DF7D01B2CB5CF08140B67E`
SHA1	`F2DA0A2C771D1E65F77AF7AC2629C421CA5E1E06`
SHA256	`DE3435AF48FC13B8A5EE92E2ECEABBCD5C41F528F76396F38F334DB5C975FA2B`
SHA384	`E96FA8356010ED72107D24DBA0066D45D47B8B6C5F791A2880BC6B76D87E90C0799576C91AF6A3B10897A9707E7B643B`
SHA512	`FCE9A292FE574BFAB3C957A053D8AA6C0FCD0B29AF72DC345E563B9E66895977C8DAA9EB1F63ED6EAD7E8EBD461EB68FE6E04936B2118C024B6614801A01C0CA`
SSDEEP	`768:D4TqHPEiucKt9XCUdfFPbeLi1VsODF3QU7e2Yc58PlUNyvNy9PcuIDxEp:D4T+PEJcKt9XdFBVfr7d8eCJuIDK`

Signature

Status: Signature verified.
Serial: 33000000BCE120FDD27CC8EE930000000000BC
Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: CMDL32.EXE.MUI
Product Name: Microsoft(R) Connection Manager
Company Name: Microsoft Corporation
File Version: 7.2.14393.0 (rs1_release.160715-1616)
Product Version: 7.2.14393.0
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\SysWOW64\cmdl32.exe	40
C:\Windows\SysWOW64\cmdl32.exe	43
C:\WINDOWS\SysWOW64\cmdl32.exe	44

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`title: Suspicious Cmdl32 Execution`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`description: lolbas Cmdl32 is use to download a payload to evade antivirus`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`cmdl32:`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`- Image\\|endswith: '\cmdl32.exe'`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`- OriginalFileName: CMDL32.EXE`	DRL 1.0
sigma	proc_creation_win_susp_cmdl32_lolbas.yml	`condition: cmdl32 and options`	DRL 1.0
LOLBAS	Cmdl32.yml	`Name: cmdl32.exe`
LOLBAS	Cmdl32.yml	`- Command: cmdl32 /vpn /lan %cd%\config`
LOLBAS	Cmdl32.yml	`- Path: C:\Windows\System32\cmdl32.exe`
LOLBAS	Cmdl32.yml	`- Path: C:\Windows\SysWOW64\cmdl32.exe`
atomic-red-team	T1105.md	Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user.	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/	MIT License. © 2018 Red Canary
atomic-red-team	T1105.md	https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html	MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.