control.exe

  • File Path: C:\WINDOWS\SysWOW64\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 C7C91F18B0F90ABE6C09D3CEAA895E83
SHA1 F15672683046572F4E9EF8775E2EE4A178B62CA6
SHA256 D494605A89952CFFBAA36C781F7DDD4A0D9C41350C5BC7B4CCBB5BA95D0DA949
SHA384 9ADC1BFB6523584C31CAEFD1F00B85D5BCE7F11CC4AFE1EB2D5EA7380B51EC7D1FF65CA62EBE47C86AFD175FC42E4876
SHA512 BFE68FE2086C42A82897F50F38BC3C82791C2F67ACED8CCC294174F87408EDC782124FFFB2F8903FD6BBAF3C954C72B0733C6C81789353FD2F4534853FB86A8C
SSDEEP 1536:i/Q2Cd4Ovve/qzSpZ3r1q6QkjfkQUk8+k6kawM1x8Dkf8dani25imKh:vY8v7Sp5+1k12b/Af885RK

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 66
C:\WINDOWS\system32\control.exe 80
C:\windows\system32\control.exe 86
C:\WINDOWS\system32\control.exe 85
C:\Windows\system32\control.exe 82
C:\Windows\system32\control.exe 83
C:\Windows\system32\control.exe 80
C:\Windows\SysWOW64\control.exe 85
C:\Windows\SysWOW64\control.exe 86
C:\Windows\SysWOW64\control.exe 63
C:\Windows\SysWOW64\control.exe 88
C:\WINDOWS\SysWOW64\control.exe 86
C:\windows\SysWOW64\control.exe 83

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.