mmc.exe

  • File Path: C:\Windows\SysWOW64\mmc.exe
  • Description: Microsoft Management Console

Screenshot

mmc.exe mmc.exe

Hashes

Type Hash
MD5 08CA3F1D18A0B8F55098C3940AFD088E
SHA1 9767ED8E2F8281A8FB97412B01FA852D8217CCAF
SHA256 8A0DDA9BE75167FCA4094CA23B2091E78A9E690EF3A584E815048BA9DB24AFFD
SHA384 B3D6A7E66D6DA3EEC7131EC1002FC3510E5956C7EA2D33C4AA86CA3D4CDD01E2ACE96BFD4A94E21E9DB542E9311E23A7
SHA512 94219C6143FEA5BAF6F0E38FC8C8F099576A0C884FFE1AEE7C426EAE147ECDE3AA57CB8A883018DB03578714CB4EBEC9B390E295537B68745325C76D84626378
SSDEEP 24576:lrvfwg1B79V2fSiqr39cUbMo7wMo7DH7UBwOstnLjqW:Bw6WK7e7DH7rPnvqW
IMP 7DBDBB686BA1917B8DEC4BF0D54883CB
PESHA1 8C2B98A1B51B3FCB12564095B043C33AD862499B
PE256 EBD1B07D5F31EC17E111FD8C7B1159189BE67C72E3CA7E4C51D74D98515BA196

Runtime Data

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\mmc.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mmc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/69
  • VirusTotal Link: https://www.virustotal.com/gui/file/8a0dda9be75167fca4094ca23b2091e78a9e690ef3a584e815048ba9db24affd/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\mmc.exe 33
C:\windows\system32\mmc.exe 30
C:\Windows\system32\mmc.exe 38
C:\Windows\system32\mmc.exe 40
C:\Windows\system32\mmc.exe 27
C:\Windows\system32\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 35
C:\Windows\SysWOW64\mmc.exe 29
C:\windows\SysWOW64\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 30
C:\WINDOWS\SysWOW64\mmc.exe 32
C:\WINDOWS\SysWOW64\mmc.exe 33

Possible Misuse

The following table contains possible examples of mmc.exe being misused. While mmc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\mmc.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\mmc.exe' DRL 1.0
sigma file_event_win_uac_bypass_dotnet_profiler.yml description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is mmc.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\mmc.exe' # dcomexec MMC DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml ParentImage\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' DRL 1.0
sigma registry_event_bypass_uac_using_eventviewer.yml Details: '%SystemRoot%\system32\mmc.exe "%1" %*' DRL 1.0
LOLBAS Eventvwr.yml Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Eventvwr.yml - IOC: eventvwr.exe launching child process other than mmc.exe  
LOLBAS Mmc.yml Name: Mmc.exe  
LOLBAS Mmc.yml - Command: mmc.exe -Embedding c:\path\to\test.msc  
LOLBAS Mmc.yml - Command: mmc.exe gpedit.msc  
LOLBAS Mmc.yml - Path: C:\Windows\System32\mmc.exe  
LOLBAS Mmc.yml - Path: C:\Windows\SysWOW64\mmc.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
malware-ioc nukesped_lazarus .mmc.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1548.002.md copy “#{executable_binary}” “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md mklink c:\testbypass.exe “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\mmc.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md START MMC.EXE EVENTVWR.MSC MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $a5 = “taskkill /f /im mmc.exe” fullword ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

mmc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Using mmc command-line options, you can open a specific mmc console, open mmc in author mode, or specify that the 32-bit or 64-bit version of mmc is opened.

Syntax

mmc <path>\<filename>.msc [/a] [/64] [/32]

Parameters

Parameter Description
<path>\<filename>.msc starts mmc and opens a saved console. You need to specify the complete path and file name for the saved console file. If you do not specify a console file, mmc opens a new console.
/a Opens a saved console in author mode. Used to make changes to saved consoles.
/64 Opens the 64-bit version of mmc (mmc64). Use this option only if you are running a Microsoft 64-bit operating system and want to use a 64-bit snap-in.
/32 Opens the 32-bit version of mmc (mmc32). When running a Microsoft 64-bit operating system, you can run 32-bit snap-ins by opening mmc with this command-line option when you have 32-bit only snap-ins.

Remarks

  • You can use environment variables to create command lines or shortcuts that don’t depend on the explicit location of console files. For instance, if the path to a console file is in the system folder (for example, mmc c:\winnt\system32\console_name.msc), you can use the expandable data string %systemroot% to specify the location (mmc%systemroot%\system32\console_name.msc). This may be useful if you’re delegating tasks to people in your organization who are working on different computers.

  • When consoles are opened using the /a option, they’re opened in author mode, regardless of their default mode. This doesn’t permanently change the default mode setting for files; when you omit this option, mmc opens console files according to their default mode settings.

  • After you open mmc or a console file in author mode, you can open any existing console by clicking Open on the Console menu.

  • You can use the command line to create shortcuts for opening mmc and saved consoles. A command-line command works with the Run command on the Start menu, in any command-prompt window, in shortcuts, or in any batch file or program that calls the command.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.