Last Updated: 2023-05-05 17:00:59 UTC
by Renato Marinho (Version: 1)
While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar , we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.
The ‘colorcpl.exe’ binary is the command line tool to open the Windows Color Management panel. When used without parameters, it just opens the tool. If a file is given as a parameter, ‘colorcpl.exe’ will copy the file to the ‘c:\windows\system32\spool\drivers\color\’ path. This path is writable by any user?—?so there is nothing here related to abusing the binary to access a privileged location. It seems to be a way to not draw the attention of security controls by avoiding using the ‘copy’ command.
By doing so, Guilma may bypass security controls that expect to detect the abuse of bitsadmin.exe executed on its original folder.
References to ‘colorcpl.exe’ misusing can be found at xClopedia  and Mandiant Red Team Countermeasures . There is also a project with KQL query to detect ‘colorcpl.exe’ abuse at .
* Analysis in collaboration with Mateus Santos.