control.exe

  • File Path: C:\WINDOWS\SysWOW64\control.exe
  • Description: Windows Control Panel

Hashes

Type Hash
MD5 DB53126BF65990E37E3A3B12D3DEDBCE
SHA1 29E66DC41C21DF3C1055C78D0B14260F76A50EAC
SHA256 1317E60C089B4CE47A3ECD00CCE646644F50DB11D52D07F229C097FFFF26B597
SHA384 1A7AFB41C7FFBDD0E2581F45DB1F9C1F1B12D22841CB5900011C6CEF7973E0D3048BAA13E8E56A3AFFCF672D8A6318C7
SHA512 5F482B22821836EE64E4EA77E50FF0528EE9026BE4DE173F42B0DE5A00268F47EFBFB1CC5998F32C00966D3C4616C566F649BA96085C8B1CA5A24EC44345FE4D
SSDEEP 1536:R8iDTm4KhFe/qzSpZ3r1q6QkjfkQUk8+k6kawM1x8Dkf8dani25imK:OsqF7Sp5+1k12b/Af885RK
IMP A3EBCFE0050EB5B2420A836D354C33A7
PESHA1 57584137287E2F080AAC9CD6612D9AE8525559FA
PE256 4AE43E992AE82496D5727966E59FDD90995C20F671096A9163DBA339584DCDCE

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\control.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: CONTROL.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/1317e60c089b4ce47a3ecd00cce646644f50db11d52d07f229c097ffff26b597/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\control.exe 66
C:\WINDOWS\system32\control.exe 82
C:\windows\system32\control.exe 83
C:\WINDOWS\system32\control.exe 83
C:\Windows\system32\control.exe 83
C:\Windows\system32\control.exe 80
C:\Windows\system32\control.exe 83
C:\Windows\SysWOW64\control.exe 88
C:\Windows\SysWOW64\control.exe 83
C:\Windows\SysWOW64\control.exe 66
C:\WINDOWS\SysWOW64\control.exe 86
C:\Windows\SysWOW64\control.exe 88
C:\windows\SysWOW64\control.exe 85

Possible Misuse

The following table contains possible examples of control.exe being misused. While control.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_susp_control_cve_2021_40444.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe input.dll' DRL 1.0
sigma proc_creation_win_susp_control_cve_2021_40444.yml - '\control.exe" input.dll' DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml description: Detects suspicious Rundll32 execution from control.exe as used by Equation Group and Exploit Kits DRL 1.0
sigma proc_creation_win_susp_control_dll_load.yml ParentImage\|endswith: '\System32\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml description: Detects using WorkFolders.exe to execute an arbitrary control.exe DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image\|endswith: '\control.exe' DRL 1.0
sigma proc_creation_win_susp_workfolders.yml Image: 'C:\Windows\System32\control.exe' DRL 1.0
LOLBAS Control.yml Name: Control.exe  
LOLBAS Control.yml - Command: control.exe c:\windows\tasks\file.txt:evil.dll  
LOLBAS Control.yml - Path: C:\Windows\System32\control.exe  
LOLBAS Control.yml - Path: C:\Windows\SysWOW64\control.exe  
LOLBAS Control.yml - IOC: Control.exe executing files from alternate data streams  
LOLBAS Control.yml - IOC: Control.exe executing library file without cpl extension  
LOLBAS Control.yml - IOC: Suspicious network connections from control.exe  
LOLBAS WorkFolders.yml Description: Execute control.exe in the current working directory  
atomic-red-team T1218.002.md <blockquote>Adversaries may abuse control.exe to proxy execution of malicious payloads. The Windows Control Panel process binary (control.exe) handles execution of Control Panel items, which are utilities that allow users to view and adjust computer settings. MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md This test simulates an adversary leveraging control.exe MIT License. © 2018 Red Canary
atomic-red-team T1218.002.md control.exe #{cpl_file_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.