cmdl32.exe

  • File Path: C:\Windows\SysWOW64\cmdl32.exe
  • Description: Microsoft Connection Manager Auto-Download

Hashes

Type Hash
MD5 BD60DF43E6419AFE39B3FCBFB14077E7
SHA1 ED73F4A5605FBDE7CA7454D8E851B6EB6F14DA11
SHA256 85B76DE4B1E44D375DF9D8D668B4BC4B91565A9BC652654C789A5EAD6D5E1AEC
SHA384 5695D998DF905488A9C5F5605D5D21DFC9989985A258FF4CAE395D10E29729DCA75862DB6DE7E0920DD9CAF96ADA118A
SHA512 537078C7BBA3F2E28152618F89A78F49B9D018CB9CE7F79DA974E0324D7EACA4D08273BE897616E8C891E182634895294B48B059C2AAA8F7A10F9B8FE6F4BB3C
SSDEEP 768:OTqHPEiucKttmhpGt7ZnPJ+GO7fRk+gogm4m5LXaqauwwiI/:OT+PEJcKtt+ye//4z0BiI
IMP BA2BC70069F6B2E3580725012BA0CDE5
PESHA1 35727A5A79C3779A925870D6609B24AE85E25051
PE256 CBBD67909F480504ACD15C1A8087947E1F1F5FAE1CFD6EEBDF65ED7750E1E852

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\cmdl32.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CMDL32.EXE.MUI
  • Product Name: Microsoft(R) Connection Manager
  • Company Name: Microsoft Corporation
  • File Version: 7.2.19041.1 (WinBuild.160101.0800)
  • Product Version: 7.2.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/85b76de4b1e44d375df9d8d668b4bc4b91565a9bc652654c789a5ead6d5e1aec/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\cmdl32.exe 43
C:\Windows\SysWOW64\cmdl32.exe 54
C:\WINDOWS\SysWOW64\cmdl32.exe 50

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cmdl32_lolbas.yml title: Suspicious Cmdl32 Execution DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml description: lolbas Cmdl32 is use to download a payload to evade antivirus DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml cmdl32: DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - Image\|endswith: '\cmdl32.exe' DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - OriginalFileName: CMDL32.EXE DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml condition: cmdl32 and options DRL 1.0
LOLBAS Cmdl32.yml Name: cmdl32.exe  
LOLBAS Cmdl32.yml - Command: cmdl32 /vpn /lan %cd%\config  
LOLBAS Cmdl32.yml - Path: C:\Windows\System32\cmdl32.exe  
LOLBAS Cmdl32.yml - Path: C:\Windows\SysWOW64\cmdl32.exe  
atomic-red-team T1105.md Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.