mmc.exe

  • File Path: C:\Windows\SysWOW64\mmc.exe
  • Description: Microsoft Management Console

Screenshot

mmc.exe mmc.exe

Hashes

Type Hash
MD5 2E79501B1C8231FCB65785F2592468CA
SHA1 411B7BBE6AFE193C32633A9A78BB36AFF78A08FC
SHA256 095B584662C42B9DAC72FF2505BCEB86B80B9BB10A7875D0F0C17BEC6FBFF583
SHA384 0E7572E703A3978C4B7B63E29D3BDC7DCC3CA11BEECC91050125396DF3F70934614C4A5A618865BF506C500A438DE4E7
SHA512 452E68D76A36B6DBCFD3574F30350EFF7876A620ADE1F492C270EECD593ECBAE9B97F0FD3A19306323FC6310D502CDD0E3A95DCA0310B4181C043BA0CF11BC6C
SSDEEP 24576:X7XbAk9Y7CUMOcYTmyaX1TOLB117JWlkTm/Mo7wMo7DHxuGwy8:X7X5Y1nsXRgU+Y7e7DHAGwy8
IMP E930A44493D92B845A352867BF590FC8
PESHA1 79329553F6D9D8481ABB9210EA5BA7F0A8C98784
PE256 2E5424335E9DD440E1D80BCD1D92284EF0AAFB1763B94AF6D6CC62D65550EAFE

Runtime Data

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\mmc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mmc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/095b584662c42b9dac72ff2505bceb86b80b9bb10a7875d0f0c17bec6fbff583/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\mmc.exe 33
C:\windows\system32\mmc.exe 27
C:\Windows\system32\mmc.exe 30
C:\Windows\system32\mmc.exe 30
C:\Windows\system32\mmc.exe 36
C:\Windows\system32\mmc.exe 35
C:\Windows\SysWOW64\mmc.exe 29
C:\Windows\SysWOW64\mmc.exe 32
C:\windows\SysWOW64\mmc.exe 25
C:\Windows\SysWOW64\mmc.exe 33
C:\Windows\SysWOW64\mmc.exe 33
C:\WINDOWS\SysWOW64\mmc.exe 35
C:\WINDOWS\SysWOW64\mmc.exe 35

Possible Misuse

The following table contains possible examples of mmc.exe being misused. While mmc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\mmc.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\mmc.exe' DRL 1.0
sigma file_event_win_uac_bypass_dotnet_profiler.yml description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is mmc.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\mmc.exe' # dcomexec MMC DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml ParentImage\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' DRL 1.0
sigma registry_event_bypass_uac_using_eventviewer.yml Details: '%SystemRoot%\system32\mmc.exe "%1" %*' DRL 1.0
LOLBAS Eventvwr.yml Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Eventvwr.yml - IOC: eventvwr.exe launching child process other than mmc.exe  
LOLBAS Mmc.yml Name: Mmc.exe  
LOLBAS Mmc.yml - Command: mmc.exe -Embedding c:\path\to\test.msc  
LOLBAS Mmc.yml - Command: mmc.exe gpedit.msc  
LOLBAS Mmc.yml - Path: C:\Windows\System32\mmc.exe  
LOLBAS Mmc.yml - Path: C:\Windows\SysWOW64\mmc.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
malware-ioc nukesped_lazarus .mmc.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1548.002.md copy “#{executable_binary}” “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md mklink c:\testbypass.exe “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\mmc.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md START MMC.EXE EVENTVWR.MSC MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $a5 = “taskkill /f /im mmc.exe” fullword ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

mmc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Using mmc command-line options, you can open a specific mmc console, open mmc in author mode, or specify that the 32-bit or 64-bit version of mmc is opened.

Syntax

mmc <path>\<filename>.msc [/a] [/64] [/32]

Parameters

Parameter Description
<path>\<filename>.msc starts mmc and opens a saved console. You need to specify the complete path and file name for the saved console file. If you do not specify a console file, mmc opens a new console.
/a Opens a saved console in author mode. Used to make changes to saved consoles.
/64 Opens the 64-bit version of mmc (mmc64). Use this option only if you are running a Microsoft 64-bit operating system and want to use a 64-bit snap-in.
/32 Opens the 32-bit version of mmc (mmc32). When running a Microsoft 64-bit operating system, you can run 32-bit snap-ins by opening mmc with this command-line option when you have 32-bit only snap-ins.

Remarks

  • You can use environment variables to create command lines or shortcuts that don’t depend on the explicit location of console files. For instance, if the path to a console file is in the system folder (for example, mmc c:\winnt\system32\console_name.msc), you can use the expandable data string %systemroot% to specify the location (mmc%systemroot%\system32\console_name.msc). This may be useful if you’re delegating tasks to people in your organization who are working on different computers.

  • When consoles are opened using the /a option, they’re opened in author mode, regardless of their default mode. This doesn’t permanently change the default mode setting for files; when you omit this option, mmc opens console files according to their default mode settings.

  • After you open mmc or a console file in author mode, you can open any existing console by clicking Open on the Console menu.

  • You can use the command line to create shortcuts for opening mmc and saved consoles. A command-line command works with the Run command on the Start menu, in any command-prompt window, in shortcuts, or in any batch file or program that calls the command.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.