control.exe

  • File Path: C:\windows\system32\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 4B605DF70C49B6B9D65652879ACAEE32
SHA1 D7ABFAFC218B9C2CE844B814AB4C8B3CDEDC9DFA
SHA256 B3705873C8CCF1A5EF93318327E56374216536A0697F6517FE28560131965E6E
SHA384 D80CBCFE4C3FE698AE72BE5377147C42EC6052D8059118DA33FE5B28CD4F7E4E4D0D859803C54B0CB5AB70804C6AA6E4
SHA512 7EFBFF44D9A8CF06EDE462E4663D44FDD77767814E54AAACEE8A8376AEC85DA5E8B9EF21188069C17475058441FD98F3E95FE5E3093B4A8254B30FCB69C26B2B
SSDEEP 1536:9lNCFp0b1qre/qzSpZ3r1q6QkjfkQUk8+k6kawM1x8Dkf8dani25imK9:PNCYb8r7Sp5+1k12b/Af885RK

Signature

  • Status: The file C:\windows\system32\control.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.17415 (winblue_r4.141028-1500)
  • Product Version: 6.3.9600.17415
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 71
C:\WINDOWS\system32\control.exe 77
C:\WINDOWS\system32\control.exe 83
C:\Windows\system32\control.exe 82
C:\Windows\system32\control.exe 82
C:\Windows\system32\control.exe 80
C:\Windows\SysWOW64\control.exe 85
C:\Windows\SysWOW64\control.exe 82
C:\Windows\SysWOW64\control.exe 63
C:\WINDOWS\SysWOW64\control.exe 86
C:\Windows\SysWOW64\control.exe 83
C:\WINDOWS\SysWOW64\control.exe 83
C:\windows\SysWOW64\control.exe 85

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.