control.exe

  • File Path: C:\Windows\SysWOW64\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 4DBD69D4C9DA5AAAC731F518EF8EBEA0
SHA1 912DB82D61915F34E60FDCEB39963E71B9FA0546
SHA256 D923F812BF0191F3344DE6CD5FCEAF6C7B2F6961F637C74C2AA329FB3F8CA6C5
SHA384 D43646A184E6C50FC465B345C1F979A12E9A48F33243901B775BD6181265035A4ABB7308BBE5E2327B41D4BDB26EF668
SHA512 5756AAE6F17009A550F5C1FCF51A16F4B51675B16E2E548C5BBBEA64FBE5CD59BF9173205310D40E0AEF1605BDF44CC4C21577DA529164CC489A94FD0894D0AB
SSDEEP 3072:GcDa+r2qCGcsfcVd0g7Sp5+1k12b/Af885RK:t++r5crd/7+5+1kf15
IMP E429F70455F107F91CC4781D386989F0
PESHA1 7EF5E339B38917744B80128789AB6234D049FEA6
PE256 B87507FDB866B6CA95DB02DFF75AF3B9B747003B4761C579D58FFBA31EE6492F

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\control.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.423 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.423
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 1/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/d923f812bf0191f3344de6cd5fceaf6c7b2f6961f637c74c2aa329fb3f8ca6c5/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 68
C:\WINDOWS\system32\control.exe 63
C:\windows\system32\control.exe 63
C:\WINDOWS\system32\control.exe 65
C:\Windows\system32\control.exe 61
C:\Windows\system32\control.exe 65
C:\Windows\system32\control.exe 66
C:\Windows\SysWOW64\control.exe 63
C:\Windows\SysWOW64\control.exe 66
C:\WINDOWS\SysWOW64\control.exe 63
C:\Windows\SysWOW64\control.exe 66
C:\WINDOWS\SysWOW64\control.exe 66
C:\windows\SysWOW64\control.exe 65

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.