cmdl32.exe

  • File Path: C:\Windows\system32\cmdl32.exe
  • Description: Microsoft Connection Manager Auto-Download

Hashes

Type Hash
MD5 FA1D5B8802FFF4A85B6F52A52C871BBB
SHA1 5A16BEBFAF89081DE501887AB8582C3852D7B37A
SHA256 9489CB8520A6AEA11FA6B1A2F019768417DC4963C1369CC87D4E1107C2ED788B
SHA384 75C811694B3E2F7C1444129C048A91ADAE5D41DDFAB17EE93FC35525F0E8B6F66E1FF3564D651407AF57F7E6D9EC808B
SHA512 80746D6688E84B95A2174E57F64A3671A65796CD44776BD0F730BF14526F43E16A7CF42C75D871DA3976FD357D71D3EDC9E23E0A050096CA10D06C4869568AC5
SSDEEP 1536:Sg54co5XqW6rJ9HT05zevkp8KdUaAEuI:SqOY5s8KdUpI

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CMDL32.EXE.MUI
  • Product Name: Microsoft(R) Connection Manager
  • Company Name: Microsoft Corporation
  • File Version: 7.2.14393.0 (rs1_release.160715-1616)
  • Product Version: 7.2.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\cmdl32.exe 35
C:\Windows\system32\cmdl32.exe 30
C:\Windows\system32\cmdl32.exe 30

Possible Misuse

The following table contains possible examples of cmdl32.exe being misused. While cmdl32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_cmdl32_lolbas.yml title: Suspicious Cmdl32 Execution DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml description: lolbas Cmdl32 is use to download a payload to evade antivirus DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml cmdl32: DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - Image\|endswith: '\cmdl32.exe' DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml - OriginalFileName: CMDL32.EXE DRL 1.0
sigma proc_creation_win_susp_cmdl32_lolbas.yml condition: cmdl32 and options DRL 1.0
LOLBAS Cmdl32.yml Name: cmdl32.exe  
LOLBAS Cmdl32.yml - Command: cmdl32 /vpn /lan %cd%\config  
LOLBAS Cmdl32.yml - Path: C:\Windows\System32\cmdl32.exe  
LOLBAS Cmdl32.yml - Path: C:\Windows\SysWOW64\cmdl32.exe  
atomic-red-team T1105.md Uses the cmdl32 to download arbitrary file from the internet. The cmdl32 package is allowed to install the profile used to launch the VPN connection. However, the config is modified to download the arbitary file. MIT License. © 2018 Red Canary
atomic-red-team T1105.md The issue of cmdl32.exe detecting and deleting the payload by identifying it as not a VPN Servers profile is avoided by setting a temporary TMP folder and denying the delete permission to all files for the user. MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://lolbas-project.github.io/lolbas/Binaries/Cmdl32/ MIT License. © 2018 Red Canary
atomic-red-team T1105.md https://strontic.github.io/xcyclopedia/library/cmdl32.exe-FA1D5B8802FFF4A85B6F52A52C871BBB.html MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.