cmdl32.exe

  • File Path: C:\Windows\SysWOW64\cmdl32.exe
  • Description: Microsoft Connection Manager Auto-Download

Hashes

Type Hash
MD5 87390E37E36622B054D4BDCBB7997B6C
SHA1 4D591F310318FD95A95109D7965A79729B65C69E
SHA256 5F067F86AD0F88A629263162810BF5052F5EBBD97D5D0DE936311BB44C9F35E7
SHA384 1601628950C2123FF9DC5A3F59D48751F9C8D1647928E556DDB64A670D57C48385C7FB32EF6B987FE406CD72E648E092
SHA512 285ABB19138A5DD109DFC0E76F4A4F96B3731A84CA9229E6EF9315513B052FD7AD7B2E0392AC9BECBF4CAF2C9BBDBD87F5B66486FB2AE1385C1FBE6E1ED643DD
SSDEEP 768:GTqHPEiucKtaMwxru9UMYriMPWBiAlZv12+6m/dJaJCO0dsZIYG8w:GT+PEJcKtaMII+e3vR6AiZI58
IMP BA2BC70069F6B2E3580725012BA0CDE5
PESHA1 45228C157307297DB800C74DC6385BBAB99870C8
PE256 732DD1051D555920FD64D4A121C2087ABCD594A34198C658512DBCC15FF04D6A

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\cmdl32.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CMDL32.EXE.MUI
  • Product Name: Microsoft(R) Connection Manager
  • Company Name: Microsoft Corporation
  • File Version: 7.2.17763.1 (WinBuild.160101.0800)
  • Product Version: 7.2.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/5f067f86ad0f88a629263162810bf5052f5ebbd97d5d0de936311bb44c9f35e7/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\cmdl32.exe 40
C:\Windows\SysWOW64\cmdl32.exe 54
C:\WINDOWS\SysWOW64\cmdl32.exe 43

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cmdl32_lolbas.yml title: Suspicious Cmdl32 Execution DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml description: lolbas Cmdl32 is use to download a payload to evade antivirus DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml cmdl32: DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - Image\|endswith: '\cmdl32.exe' DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - OriginalFileName: CMDL32.EXE DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml condition: cmdl32 and options DRL 1.0
LOLBAS Cmdl32.yml Name: cmdl32.exe  
LOLBAS Cmdl32.yml - Command: cmdl32 /vpn /lan %cd%\config  
LOLBAS Cmdl32.yml - Path: C:\Windows\System32\cmdl32.exe  
LOLBAS Cmdl32.yml - Path: C:\Windows\SysWOW64\cmdl32.exe  
atomic-red-team T1105.md Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.