control.exe

  • File Path: C:\Windows\system32\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 88EA810385F455C74306D71C4879C61C
SHA1 391FF1F690C0912C217B3CF625900D4F50128867
SHA256 4774A931C9D97828323C9E829917D82C27A05DAB9FEA6A0CEF9EBBA59942231F
SHA384 2D51CBBBEA71C5A687265880F9217579E944B4B2FD674EFF2084346B091B17F0837AA760802D1B7DDC40735BD10B7E45
SHA512 D816977F9B9B147050937DF7663BE074FD44AA6DBFF608A0E673BC2739FC1A1DBEE506668A252D0A3A0B7E430A9B084502A9E7F7D4BB5EE69621FEFE861D5646
SSDEEP 1536:trl0+A4FF/P4yXBe/qzSpZ3r1q6QkjfkQUk8+k6kawM1x8Dkf8dani25imK:tyt43/g4B7Sp5+1k12b/Af885RK
IMP 7A8EC2645C24D85DE8216D63022623C0
PESHA1 02AAB43D7AC03E57605ED06AC76CC4341940D632
PE256 B634DD6A48F90C911758842BE7ED72324363CDE8EF7C72BB37813EC2B67DFAE0

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\clbcatq.dll
C:\Windows\System32\combase.dll
C:\Windows\system32\control.exe
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\edputil.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\ole32.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\system32\PROPSYS.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\SHLWAPI.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/4774a931c9d97828323c9e829917d82c27a05dab9fea6a0cef9ebba59942231f/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 68
C:\WINDOWS\system32\control.exe 80
C:\windows\system32\control.exe 82
C:\WINDOWS\system32\control.exe 83
C:\Windows\system32\control.exe 77
C:\Windows\system32\control.exe 79
C:\Windows\SysWOW64\control.exe 85
C:\Windows\SysWOW64\control.exe 80
C:\Windows\SysWOW64\control.exe 61
C:\WINDOWS\SysWOW64\control.exe 82
C:\Windows\SysWOW64\control.exe 83
C:\WINDOWS\SysWOW64\control.exe 83
C:\windows\SysWOW64\control.exe 80

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.