mmc.exe

  • File Path: C:\Windows\SysWOW64\mmc.exe
  • Description: Microsoft Management Console

Screenshot

mmc.exe mmc.exe

Hashes

Type Hash
MD5 A40546440A81D2E36FB1F6F18AC376BC
SHA1 D5F486F60BD4A3230C65EABDF6C6CBC31C7ECF2F
SHA256 101B06FD8A344D594454BB1C4F9F2BC37680235504436512FB3ABC3F20704547
SHA384 BC6761DE37FC11AAEB55BF6DC3CDF43D75FA42019AF2340E53DABD22B4FDBE046F493D19DE5B60B7CE41A78629581F34
SHA512 E583699A9E79C95C6D85C9E0092F5F31C3FE3B6DFC555E6BDC7CC25D3E97941C98BE51B8DB7FDCB8BDC4BD44CCC9EC6C44DF83FE23A45967AFDCCD4A4EA5D7B4
SSDEEP 24576:T7WbO/1cWKvhKVbPhS8nZ0MbatL+gR+QOxRK9Mo7wMo7DHjexVkj8r:T7WMcZm48ndeT7e7DHjexVkj8r
IMP E930A44493D92B845A352867BF590FC8
PESHA1 860B57C93C85E993FA6350965404D9B9EBA904AE
PE256 579D42B9D53A0CFE9E2CB45AC5FAD42731B49ABF96827C938FDBF6D0AF454DF2

Runtime Data

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\mmc.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mmc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/101b06fd8a344d594454bb1c4f9f2bc37680235504436512fb3abc3f20704547/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\mmc.exe 30
C:\windows\system32\mmc.exe 32
C:\Windows\system32\mmc.exe 32
C:\Windows\system32\mmc.exe 29
C:\Windows\system32\mmc.exe 38
C:\Windows\system32\mmc.exe 29
C:\Windows\SysWOW64\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 33
C:\windows\SysWOW64\mmc.exe 27
C:\Windows\SysWOW64\mmc.exe 88
C:\WINDOWS\SysWOW64\mmc.exe 29
C:\WINDOWS\SysWOW64\mmc.exe 33

Possible Misuse

The following table contains possible examples of mmc.exe being misused. While mmc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\mmc.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\mmc.exe' DRL 1.0
sigma file_event_win_uac_bypass_dotnet_profiler.yml description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is mmc.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\mmc.exe' # dcomexec MMC DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml ParentImage\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' DRL 1.0
sigma registry_event_bypass_uac_using_eventviewer.yml Details: '%SystemRoot%\system32\mmc.exe "%1" %*' DRL 1.0
LOLBAS Eventvwr.yml Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Eventvwr.yml - IOC: eventvwr.exe launching child process other than mmc.exe  
LOLBAS Mmc.yml Name: Mmc.exe  
LOLBAS Mmc.yml - Command: mmc.exe -Embedding c:\path\to\test.msc  
LOLBAS Mmc.yml - Command: mmc.exe gpedit.msc  
LOLBAS Mmc.yml - Path: C:\Windows\System32\mmc.exe  
LOLBAS Mmc.yml - Path: C:\Windows\SysWOW64\mmc.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
malware-ioc nukesped_lazarus .mmc.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1548.002.md copy “#{executable_binary}” “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md mklink c:\testbypass.exe “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\mmc.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md START MMC.EXE EVENTVWR.MSC MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $a5 = “taskkill /f /im mmc.exe” fullword ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

mmc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Using mmc command-line options, you can open a specific mmc console, open mmc in author mode, or specify that the 32-bit or 64-bit version of mmc is opened.

Syntax

mmc <path>\<filename>.msc [/a] [/64] [/32]

Parameters

Parameter Description
<path>\<filename>.msc starts mmc and opens a saved console. You need to specify the complete path and file name for the saved console file. If you do not specify a console file, mmc opens a new console.
/a Opens a saved console in author mode. Used to make changes to saved consoles.
/64 Opens the 64-bit version of mmc (mmc64). Use this option only if you are running a Microsoft 64-bit operating system and want to use a 64-bit snap-in.
/32 Opens the 32-bit version of mmc (mmc32). When running a Microsoft 64-bit operating system, you can run 32-bit snap-ins by opening mmc with this command-line option when you have 32-bit only snap-ins.

Remarks

  • You can use environment variables to create command lines or shortcuts that don’t depend on the explicit location of console files. For instance, if the path to a console file is in the system folder (for example, mmc c:\winnt\system32\console_name.msc), you can use the expandable data string %systemroot% to specify the location (mmc%systemroot%\system32\console_name.msc). This may be useful if you’re delegating tasks to people in your organization who are working on different computers.

  • When consoles are opened using the /a option, they’re opened in author mode, regardless of their default mode. This doesn’t permanently change the default mode setting for files; when you omit this option, mmc opens console files according to their default mode settings.

  • After you open mmc or a console file in author mode, you can open any existing console by clicking Open on the Console menu.

  • You can use the command line to create shortcuts for opening mmc and saved consoles. A command-line command works with the Run command on the Start menu, in any command-prompt window, in shortcuts, or in any batch file or program that calls the command.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.