odbcconf.exe

  • File Path: C:\WINDOWS\SysWOW64\odbcconf.exe
  • Description: ODBC Driver Configuration Program

Screenshot

odbcconf.exe

Hashes

Type Hash
MD5 86D1F10725566E818EEDB82ACBCD5CBE
SHA1 76A40EE9C48CCD840E236C769165D77E1CD28B16
SHA256 1FE23FAB90945A9C7EE6029FD953BF9360544127444B71620DA6852C408DD04E
SHA384 1AFB8FE726725389DA550AB39B66A2BF32E0C0F22D4081FE07057A2571880FF30E927DD451B124B9FE669F3E9E0FA962
SHA512 EFDD926F4AC98924D8FE09CD8E07BEFA3356B3E7C6AA49829EFDCD86FABB4F9D3E2D8E202E31254498460AC6C88795674448D4B136BDC1838373785AA441D1FE
SSDEEP 384:yVrAigT9MLPeRYdggm+EVlCK2tCnnnMreqsOlJvHRp/VeBdpStFVzlYOyvC1yJaG:gPe97ntuJgggC16SQs9sj

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: odbcconf.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\odbcconf.exe 60
C:\windows\SysWOW64\odbcconf.exe 33
C:\WINDOWS\SysWOW64\odbcconf.exe 35
C:\Windows\SysWOW64\odbcconf.exe 35
C:\Windows\SysWOW64\odbcconf.exe 47

Possible Misuse

The following table contains possible examples of odbcconf.exe being misused. While odbcconf.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_odbcconf.yml title: Application Whitelisting Bypass via DLL Loaded by odbcconf.exe DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml description: Detects defence evasion attempt via odbcconf.exe execution to load DLL DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml - https://github.com/LOLBAS-Project/LOLBAS/blob/master/yml/OSBinaries/Odbcconf.yml DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml Image\|endswith: '\odbcconf.exe' DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml ParentImage\|endswith: '\odbcconf.exe' DRL 1.0
sigma proc_creation_win_susp_odbcconf.yml - Legitimate use of odbcconf.exe by legitimate user DRL 1.0
LOLBAS Odbcconf.yml Name: Odbcconf.exe  
LOLBAS Odbcconf.yml - Command: odbcconf -f file.rsp  
LOLBAS Odbcconf.yml - Command: odbcconf /a {REGSVR c:\test\test.dll}  
LOLBAS Odbcconf.yml - Path: C:\Windows\System32\odbcconf.exe  
LOLBAS Odbcconf.yml - Path: C:\Windows\SysWOW64\odbcconf.exe  
atomic-red-team index.md - T1218.008 Odbcconf MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.008 Odbcconf MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Odbcconf.exe - Execute Arbitrary DLL [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | Shortcut Modification | Valid Accounts CONTRIBUTE A TEST | Odbcconf | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Shortcut Modification | Winlogon Helper DLL | Odbcconf | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md # T1218.008 - Odbcconf MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md <blockquote>Adversaries may abuse odbcconf.exe to proxy execution of malicious payloads. Odbcconf.exe is a Windows utility that allows you to configure Open Database Connectivity (ODBC) drivers and data source names.(Citation: Microsoft odbcconf.exe) Odbcconf.exe is digitally signed by Microsoft. MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md Adversaries may abuse odbcconf.exe to bypass application control solutions that do not account for its potential abuse. Similar to Regsvr32, odbcconf.exe has a REGSVR flag that can be misused to execute DLLs (ex: odbcconf.exe /S /A {REGSVR "C:\Users\Public\file.dll"}). (Citation: LOLBAS Odbcconf)(Citation: TrendMicro Squiblydoo Aug 2017)(Citation: TrendMicro Cobalt Group Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md - Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md ## Atomic Test #1 - Odbcconf.exe - Execute Arbitrary DLL MIT License. © 2018 Red Canary
atomic-red-team T1218.008.md odbcconf.exe /S /A {REGSVR “#{dll_payload}”} MIT License. © 2018 Red Canary
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml name: Signed Binary Execution - odbcconf Apache-2.0
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml description: Leverage odbcconf for DLL injection Apache-2.0
stockpile a74bc239-a196-4f7e-8d5c-fe8c0266071c.yml odbcconf.exe /S /A {REGSVR "C:\Users\Public\sandcat.dll"} Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.