control.exe

  • File Path: C:\WINDOWS\system32\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 44A936B4839A614723811EA66423B432
SHA1 716B3868B134CBA61ADD06FA46C0387B63BC79C3
SHA256 FECC2504B781D79224D9E40069A3A8F87E654D04F11EBD5AC4F478CE7B7326B0
SHA384 A3192CBC01B04338DC88C53E60A17D7BCB3E4A84A971EB7D69C98D98B246E6746CA2D2EB50C6E37A9BCF91736B5846F9
SHA512 8A2F51C00A74A0AAC0FB5D8A52AA108B01074A3BAF0F02E1149E677EFB07208E4AB7F8B60E7EBD9C66064F63C3A11E68689797EA27DAFB2976E9E0AB4959B780
SSDEEP 1536:wjTKADinM/G7oS4B1jFe/qzSpZ3r1q6QkjfkQUk8+k6kawM1x8Dkf8dani25imK:ElCo1BRF7Sp5+1k12b/Af885RK
IMP 7A8EC2645C24D85DE8216D63022623C0
PESHA1 A9ED3CF6DBD543A2AB9C38364440D277141EF013
PE256 CB77A33DEE4BAE809941BFC4F0485E42335595BAD94359CF52E7210F618BCB0B

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\system32\control.exe
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\RPCRT4.dll
C:\WINDOWS\System32\sechost.dll
C:\WINDOWS\System32\SHELL32.dll
C:\WINDOWS\System32\SHLWAPI.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/fecc2504b781d79224d9e40069a3a8f87e654d04f11ebd5ac4f478ce7b7326b0/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 69
C:\windows\system32\control.exe 77
C:\WINDOWS\system32\control.exe 79
C:\Windows\system32\control.exe 80
C:\Windows\system32\control.exe 77
C:\Windows\system32\control.exe 77
C:\Windows\SysWOW64\control.exe 85
C:\Windows\SysWOW64\control.exe 79
C:\Windows\SysWOW64\control.exe 63
C:\WINDOWS\SysWOW64\control.exe 80
C:\Windows\SysWOW64\control.exe 80
C:\WINDOWS\SysWOW64\control.exe 82
C:\windows\SysWOW64\control.exe 80

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.