While analyzing a Guildma (AKA Astaroth) sample recently uploaded to MalwareBazaar , we came across a chain of LOLBIN abuse. It is not uncommon to see malicious code using the LOLBIN ‘bitsadmin.exe’ to download artifacts from the Internet. However, what is interesting in this case is that Guildma first copies ‘bitsadmin.exe’ to a less suspect path using ‘colorcpl.exe’, another LOLBIN, before executing it.
The ‘colorcpl.exe’ binary is the command line tool to open the Windows Color Management panel. When used without parameters, it just opens the tool. If a file is given as a parameter, ‘colorcpl.exe’ will copy the file to the ‘c:windowssystem32spooldriverscolor’ path. This path is writable by any user — so there is nothing here related to abusing the binary to access a privileged location. It seems to be a way to not draw the attention of security controls by avoiding using the ‘copy’ command.
By doing so, Guilma may bypass security controls that expect to detect the abuse of bitsadmin.exe executed on its original folder.
References to ‘colorcpl.exe’ misusing can be found at xClopedia  and Mandiant Red Team Countermeasures . There is also a project with KQL query to detect ‘colorcpl.exe’ abuse at .
* Analysis in collaboration with Mateus Santos.
 MalwareBazaar | SHA256 c7aa1f959055026205d48568ec9743aca2a7f9489aa9470a76bd6ef95a7abad2 (Guildma) (abuse.ch)
 colorcpl.exe | Microsoft Color Control Panel | STRONTIC
 red_team_tool_countermeasures/SUSPICIOUS EXECUTION OF COLORCPL.EXE (METHODOLOGY).ioc at master · mandiant/red_team_tool_countermeasures (github.com)
 FalconFriday/FireEye_red_team_tool_countermeasures.md at master · FalconForceTeam/FalconFriday (github.com)
Morphus Labs| LinkedIn|Twitter
(c) SANS Internet Storm Center. https://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.