mmc.exe

  • File Path: C:\WINDOWS\SysWOW64\mmc.exe
  • Description: Microsoft Management Console

Screenshot

mmc.exe mmc.exe

Hashes

Type Hash
MD5 BA18900E566A9BDC1330E5ADE7BF4590
SHA1 257434249D4D31A0A8EE6A6508A57257C164F83D
SHA256 3042D2612469B963432C4EB0A31AA67FB91C11B8B521C87505355FF5EEAB5C93
SHA384 BBF648A728FF3F341F205CE48D69ED0145A4671420FBAD1BDECD5215AAD8AFC0931DA182B568FCC6E553A940775BF1F1
SHA512 2380AA6DD003C20439DBCCE5026C2DA4A58DA6EF3EACC7B548617EDB4B1161600E94BCC91271528C9F19448E7C5FAD946BE2F3FD37F786A3F6FAA05BD4945C48
SSDEEP 24576:kU40wSUmCF/H2LuUl8L7ydkSkHxLZekMo7wMo7DHF9hGkOq:kiqmCF/H8JxkHnei7e7DHjhG9q
IMP 9D21E188EF809CF663C082ACBE5016A5
PESHA1 892D08CC66B1D2EA8D403F4F5CE873EF1E7E8188
PE256 99FE7EDE74E2D1D786B3FC49E9BD91C4DA966E6C9BEA062A22DA916BD659491F

Runtime Data

Child Processes:

mmc.exe

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\mmc.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mmc.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3042d2612469b963432c4eb0a31aa67fb91c11b8b521c87505355ff5eeab5c93/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\mmc.exe 35
C:\windows\system32\mmc.exe 33
C:\Windows\system32\mmc.exe 36
C:\Windows\system32\mmc.exe 38
C:\Windows\system32\mmc.exe 30
C:\Windows\system32\mmc.exe 29
C:\Windows\SysWOW64\mmc.exe 32
C:\Windows\SysWOW64\mmc.exe 30
C:\Windows\SysWOW64\mmc.exe 35
C:\windows\SysWOW64\mmc.exe 36
C:\Windows\SysWOW64\mmc.exe 32
C:\Windows\SysWOW64\mmc.exe 29
C:\WINDOWS\SysWOW64\mmc.exe 29

Possible Misuse

The following table contains possible examples of mmc.exe being misused. While mmc.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_user_driver_loaded.yml - '\Windows\System32\mmc.exe' DRL 1.0
sigma file_event_win_susp_adsi_cache_usage.yml - 'C:\windows\system32\mmc.exe' DRL 1.0
sigma file_event_win_uac_bypass_dotnet_profiler.yml description: Detects the pattern of UAC Bypass using .NET Code Profiler and mmc.exe DLL hijacking (UACMe 39) DRL 1.0
sigma pipe_created_susp_adfs_namedpipe_connection.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml # parent is mmc.exe DRL 1.0
sigma proc_creation_win_impacket_lateralization.yml - '\mmc.exe' # dcomexec MMC DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml description: Detects MMC20.Application Lateral Movement; specifically looks for the spawning of the parent MMC.exe with a command line of "-Embedding" as a child of svchost.exe DRL 1.0
sigma proc_creation_win_mmc20_lateral_movement.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_mmc_spawn_shell.yml ParentImage\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_susp_taskmgr_parent.yml - '\mmc.exe' DRL 1.0
sigma proc_creation_win_sysmon_uac_bypass_eventvwr.yml Image\|endswith: '\mmc.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_wmp.yml ParentCommandLine: '"C:\Windows\system32\mmc.exe" "C:\Windows\system32\eventvwr.msc" /s' DRL 1.0
sigma registry_event_bypass_uac_using_eventviewer.yml Details: '%SystemRoot%\system32\mmc.exe "%1" %*' DRL 1.0
LOLBAS Eventvwr.yml Description: During startup, eventvwr.exe checks the registry value HKCU\Software\Classes\mscfile\shell\open\command for the location of mmc.exe, which is used to open the eventvwr.msc saved console file. If the location of another binary or script is added to this registry value, it will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Eventvwr.yml - IOC: eventvwr.exe launching child process other than mmc.exe  
LOLBAS Mmc.yml Name: Mmc.exe  
LOLBAS Mmc.yml - Command: mmc.exe -Embedding c:\path\to\test.msc  
LOLBAS Mmc.yml - Command: mmc.exe gpedit.msc  
LOLBAS Mmc.yml - Path: C:\Windows\System32\mmc.exe  
LOLBAS Mmc.yml - Path: C:\Windows\SysWOW64\mmc.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
malware-ioc nukesped_lazarus .mmc.exe``{:.highlight .language-cmhg} © ESET 2014-2018
atomic-red-team T1548.002.md copy “#{executable_binary}” “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md mklink c:\testbypass.exe “\?\C:\Windows \System32\mmc.exe” MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\mmc.exe MIT License. © 2018 Red Canary
atomic-red-team T1574.012.md START MMC.EXE EVENTVWR.MSC MIT License. © 2018 Red Canary
signature-base crime_cn_campaign_njrat.yar $a5 = “taskkill /f /im mmc.exe” fullword ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

mmc

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Using mmc command-line options, you can open a specific mmc console, open mmc in author mode, or specify that the 32-bit or 64-bit version of mmc is opened.

Syntax

mmc <path>\<filename>.msc [/a] [/64] [/32]

Parameters

Parameter Description
<path>\<filename>.msc starts mmc and opens a saved console. You need to specify the complete path and file name for the saved console file. If you do not specify a console file, mmc opens a new console.
/a Opens a saved console in author mode. Used to make changes to saved consoles.
/64 Opens the 64-bit version of mmc (mmc64). Use this option only if you are running a Microsoft 64-bit operating system and want to use a 64-bit snap-in.
/32 Opens the 32-bit version of mmc (mmc32). When running a Microsoft 64-bit operating system, you can run 32-bit snap-ins by opening mmc with this command-line option when you have 32-bit only snap-ins.

Remarks

  • You can use environment variables to create command lines or shortcuts that don’t depend on the explicit location of console files. For instance, if the path to a console file is in the system folder (for example, mmc c:\winnt\system32\console_name.msc), you can use the expandable data string %systemroot% to specify the location (mmc%systemroot%\system32\console_name.msc). This may be useful if you’re delegating tasks to people in your organization who are working on different computers.

  • When consoles are opened using the /a option, they’re opened in author mode, regardless of their default mode. This doesn’t permanently change the default mode setting for files; when you omit this option, mmc opens console files according to their default mode settings.

  • After you open mmc or a console file in author mode, you can open any existing console by clicking Open on the Console menu.

  • You can use the command line to create shortcuts for opening mmc and saved consoles. A command-line command works with the Run command on the Start menu, in any command-prompt window, in shortcuts, or in any batch file or program that calls the command.

Additional References

MIT License. Copyright (c) 2020-2021 Strontic.