mmc[.]exe | Triage

Sharing

Copy URL

Twitter E-mail

General

Target

mmc.exe
Size

1.8MB
MD5

7a769b71b7fae44e4f57b6be4206dd97
SHA1

5124e4b5f67532daa732153effad606177212da7
SHA256

03048f7a610ee24ca36007019c6d5d200a9e94172d7f7a46cf71d7e792163e8d
SHA512

9fe3fbfd3e634753e949dce79fb6a155f741bc10a820fd43111939cb37bc290cb99270528da51ed7e75c66be84907b002f71cf04cbeb3ed6bdcd0871867c23ac
SSDEEP

24576:auOEOnzWnp7NdpOC9Vde63QI1IOUAz42mMo7wMo7DHO:D6zKp7dOC9m3IpUI4P7e7DHO

Score

3^/10

Malware Config

Signatures

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
mmc.exe

Files

mmc.exe
.exe windows x64

b8ee2d6252332a68b70b22e3d6e377d2

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_GUARD_CF
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE

Imports

gdi32

GetTextExtentPoint32W
SelectObject
GetStockObject
PtInRegion
CreatePolygonRgn
FillRgn
GetTextMetricsW
GetLayout
SetLayout
GetObjectW
GetDeviceCaps
DeleteDC
CreateSolidBrush
CreateCompatibleDC
CreateCompatibleBitmap
PatBlt
PtVisible
RectVisible
TextOutW
ExtTextOutW
Escape
DeleteObject
BitBlt
CreateFontIndirectW

user32

IsMenu
GetWindowTextLengthW
SetWindowTextW
GetClassNameW
wsprintfW
GetClassInfoExW
CreateWindowExW
CreateAcceleratorTableW
InvalidateRgn
CallWindowProcW
RegisterClassExW
ReleaseDC
GetDC
EndPaint
BeginPaint
GrayStringW
MonitorFromPoint
GetMonitorInfoW
CopyRect
SystemParametersInfoW
SetRect
RedrawWindow
FindWindowExW
GetWindowThreadProcessId
GetWindow
EnableWindow
SetRectEmpty
GetSystemMetrics
RegisterWindowMessageW
GetMenuItemID
FillRect
GetSysColorBrush
GetClassInfoW
PtInRect
GetClientRect
ShowWindow
InvalidateRect
IsRectEmpty
InflateRect
SetCapture
GetKeyState
GetCursorPos
ScreenToClient
MapWindowPoints
IsIconic
ChildWindowFromPointEx
GetFocus
SetFocus
DeleteMenu
GetMenuState
InsertMenuW
ModifyMenuW
GetDlgCtrlID
ClientToScreen
GetMessagePos
SetCursor
LoadCursorW
EnumChildWindows
GetWindowRect
MoveWindow
GetDesktopWindow
GetMenuItemCount
GetMenuItemInfoW
GetMenuStringW
AppendMenuW
SetMenuItemInfoW
SendMessageW
PeekMessageW
IsWindow
DestroyMenu
GetSysColor
DrawEdge
LoadImageW
IsChild
DrawTextW
SetParent
SetWindowPlacement
GetWindowLongW
SetWindowLongW
GetWindowPlacement
SetWindowLongPtrW
EnableMenuItem
BringWindowToTop
GetSystemMenu
IsZoomed
BeginDeferWindowPos
EndDeferWindowPos
DeferWindowPos
AdjustWindowRectEx
GetCapture
ReleaseCapture
NotifyWinEvent
GetForegroundWindow
SetMenuDefaultItem
CharLowerW
GetDlgItem
GetNextDlgTabItem
TrackPopupMenuEx
IsWindowEnabled
DrawFocusRect
DefWindowProcW
SetWindowPos
SetTimer
KillTimer
SetClipboardViewer
GetWindowTextW
EnumThreadWindows
SetActiveWindow
SetForegroundWindow
ChangeClipboardChain
GetMenu
SetMenu
DrawFrameControl
DestroyIcon
GetSubMenu
CharUpperW
DrawIconEx
CopyImage
GetMessageTime
UnionRect
UnhookWindowsHookEx
SetWindowsHookExW
CallNextHookEx
GetDoubleClickTime
TabbedTextOutW
DestroyAcceleratorTable
LoadAcceleratorsW
TranslateAcceleratorW
CreatePopupMenu
OffsetRect
MessageBoxW
CopyIcon
PrivateExtractIconsW
GetIconInfo
SendMessageTimeoutW
GetWindowLongPtrW
LoadMenuW
UpdateWindow
MessageBeep
DestroyWindow
CharNextW
GetParent
LoadStringW
PostMessageW
IsWindowVisible
LoadIconW

mfc42u

ord5815
ord6821
ord5804
ord426
ord921
ord6832
ord3585
ord5920
ord4506
ord1225
ord1584
ord4205
ord3038
ord6099
ord6607
ord6096
ord6599
ord4668
ord6603
ord6407
ord6138
ord5896
ord5886
ord6448
ord6228
ord3747
ord4061
ord1562
ord1869
ord3310
ord6130
ord4595
ord1056
ord3911
ord6887
ord2629
ord1126
ord5637
ord5635
ord2781
ord3468
ord1471
ord287
ord1450
ord6886
ord2408
ord1574
ord286
ord3830
ord3049
ord3243
ord3362
ord4815
ord3231
ord3366
ord3052
ord3166
ord3046
ord4082
ord4083
ord4077
ord3164
ord4371
ord1040
ord4770
ord2906
ord318
ord834
ord5615
ord6632
ord438
ord933
ord2210
ord1498
ord2211
ord6317
ord4211
ord1463
ord1677
ord2676
ord2002
ord1947
ord4598
ord4970
ord4972
ord4976
ord659
ord1063
ord4544
ord2595
ord3820
ord2449
ord2441
ord624
ord5873
ord626
ord2846
ord6750
ord6510
ord1430
ord4472
ord1337
ord6056
ord6055
ord2653
ord5723
ord347
ord859
ord1287
ord1284
ord1441
ord2752
ord2909
ord5711
ord6842
ord3682
ord2975
ord5887
ord620
ord1122
ord5730
ord5065
ord4424
ord1650
ord4539
ord2801
ord1264
ord1519
ord852
ord912
ord4983
ord6053
ord4368
ord5724
ord5722
ord2412
ord1388
ord4191
ord6071
ord2515
ord2559
ord4836
ord6813
ord3766
ord1336
ord3279
ord3592
ord5872
ord5612
ord6069
ord2001
ord3622
ord4835
ord4969
ord4971
ord5636
ord3826
ord4772
ord3484
ord4475
ord3277
ord3590
ord1339
ord5944
ord3192
ord4533
ord6070
ord5062
ord1821
ord4561
ord351
ord863
ord6464
ord1606
ord6021
ord4436
ord3282
ord3601
ord5213
ord6610
ord6769
ord2414
ord4473
ord4766
ord1499
ord2545
ord4124
ord4773
ord4984
ord6586
ord4732
ord5988
ord3254
ord5894
ord1752
ord5665
ord3140
ord5063
ord6880
ord1483
ord1286
ord4946
ord5297
ord4682
ord4690
ord5090
ord5285
ord4886
ord4901
ord4899
ord4881
ord4884
ord4879
ord5370
ord5367
ord4405
ord6440
ord4365
ord1778
ord5662
ord2399
ord5586
ord6812
ord4694
ord5712
ord4017
ord5229
ord4789
ord2670
ord2060
ord6814
ord3932
ord5484
ord1735
ord2457
ord2140
ord5699
ord4988
ord4780
ord1061
ord3933
ord1736
ord5683
ord1067
ord665
ord3397
ord3410
ord6386
ord4181
ord3647
ord4375
ord2900
ord3177
ord1946
ord4597
ord2393
ord4974
ord4975
ord657
ord3417
ord2540
ord5682
ord1536
ord4813
ord2132
ord3473
ord1389
ord2242
ord2925
ord6202
ord5974
ord6612
ord6817
ord6815
ord4612
ord4177
ord6351
ord4859
ord4623
ord622
ord3652
ord1581
ord3407
ord5467
ord6102
ord3234
ord4752
ord3920
ord408
ord904
ord2427
ord3790
ord1647
ord4945
ord4712
ord5288
ord5496
ord5663
ord3535
ord3894
ord1035
ord3783
ord4609
ord2464
ord2466
ord1648
ord5687
ord4721
ord5245
ord5406
ord5077
ord6437
ord1777
ord5702
ord4771
ord3761
ord337
ord2593
ord4747
ord3501
ord3806
ord2329
ord2371
ord4557
ord6328
ord4131
ord2857
ord6614
ord4257
ord2902
ord4262
ord660
ord1064
ord6133
ord4297
ord2776
ord6577
ord6243
ord3740
ord2421
ord1489
ord2105
ord2594
ord4887
ord4748
ord5675
ord3502
ord3807
ord328
ord4014
ord2591
ord4745
ord3794
ord899
ord4599
ord4568
ord6754
ord310
ord826
ord6076
ord6238
ord303
ord3742
ord6015
ord3174
ord3624
ord6446
ord6661
ord6393
ord3396
ord1124
ord2876
ord2121
ord3799
ord2903
ord1856
ord4569
ord427
ord890
ord5676
ord2919
ord1548
ord4807
ord5093
ord5659
ord1476
ord1575
ord4851
ord4759
ord5522
ord5468
ord5412
ord5147
ord5176
ord1317
ord2395
ord4774
ord2456
ord4784
ord1674
ord2671
ord5705
ord2396
ord4364
ord4462
ord2920
ord3536
ord5839
ord5420
ord4633
ord4817
ord5521
ord2405
ord2750
ord4860
ord5425
ord2898
ord3909
ord1054
ord4593
ord2177
ord2551
ord6768
ord312
ord4812
ord6492
ord6691
ord4188
ord1950
ord3774
ord867
ord2474
ord6660
ord1657
ord2665
ord4130
ord3183
ord2139
ord1830
ord372
ord4553
ord1472
ord5690
ord5654
ord5226
ord5244
ord4720
ord5426
ord4968
ord5123
ord5083
ord4967
ord4996
ord5487
ord3879
ord528
ord3862
ord6131
ord4621
ord4442
ord525
ord984
ord1857
ord4570
ord4601
ord2921
ord4677
ord428
ord4806
ord5677
ord2661
ord6762
ord4852
ord5523
ord5706
ord4463
ord5269
ord5309
ord5175
ord3099
ord4947
ord4775
ord4785
ord2397
ord1316
ord4818
ord3141
ord2406
ord2145
ord4122
ord1568
ord1966
ord2517
ord1908
ord559
ord1003
ord1365
ord5082
ord4583
ord2532

msvcrt

wcsrchr
wcscmp
iswspace
_ultow
wcstoul
_ltow
wcsncmp
__RTDynamicCast
memcmp
memcpy
memset
_onexit
__dllonexit
_unlock
_lock
??1type_info@@UEAA@XZ
?terminate@@YAXXZ
_commode
_fmode
_wcmdln
_initterm
__setusermatherr
_cexit
_exit
exit
__set_app_type
__wgetmainargs
_amsg_exit
_XcptFilter
_CxxThrowException
_callnewh
??0exception@@QEAA@AEBQEBDH@Z
wcschr
_wtoi
wcsstr
_mbslen
_mbsnbcnt
wcstol
realloc
??0exception@@QEAA@XZ
wcscpy_s
__argc
__wargv
swscanf
free
malloc
_purecall
memmove_s
??0exception@@QEAA@AEBQEBD@Z
??1exception@@UEAA@XZ
?what@exception@@UEBAPEBDXZ
??0exception@@QEAA@AEBV0@@Z
memcpy_s
_wcsicmp
_wcsnicmp
_vsnwprintf
__C_specific_handler
__CxxFrameHandler3

ntdll

EtwGetTraceLoggerHandle
EtwGetTraceEnableLevel
EtwGetTraceEnableFlags
EtwRegisterTraceGuidsW
EtwUnregisterTraceGuids
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
EtwTraceMessage

mmcbase

?InterfaceMethodException@BookKeeping@@SAXHPEBG0KPEAU_EXCEPTION_POINTERS@@@Z
?MMCNullInterface@BookKeeping@@SAXHPEBG0@Z
?GetHWnd@SC@mmcerror@@SAPEAUHWND__@@XZ
?TraceSnapinError@@YAXPEBGAEBVSC@mmcerror@@@Z
?InvalidInterface@BookKeeping@@SAXHPEBG0@Z
MMC_PickIconDlg
InsideModalLoop
?FindAllSnapinUIThreads@BookKeeping@@SAJPEAPEAKPEAK@Z
?GetSnapinName@BookKeeping@@SAPEBGH@Z
?TraceError@@YAXPEBGAEBVSC@mmcerror@@@Z
?ReleaseSnapinInterface@BookKeeping@@SAJPEAUIUnknown@@H@Z
?AddSnapinInterface@BookKeeping@@SA_NPEAUIUnknown@@PEBGAEAH@Z
?InterfaceMethodActivationContextException@BookKeeping@@SAXHPEBG0KPEAU_EXCEPTION_POINTERS@@@Z
?AddSnapin@BookKeeping@@SAJPEBGAEAH@Z
??9SC@mmcerror@@QEBA_NJ@Z
?AddItem@BookKeeping@@SAJAEAVItemHandle@@@Z
LoadStandardOverlays
??1SC@mmcerror@@QEAA@XZ
??0SC@mmcerror@@QEAA@J@Z
?ScEmitOrPostpone@CEventBuffer@@QEAA?AVSC@mmcerror@@PEAUIDispatch@@JPEAVCComVariant@ATL@@H@Z
?TraceAndClear@SC@mmcerror@@QEAAXXZ
?RemoveItem@BookKeeping@@SAJPEAX@Z
GetStringModule
??7SC@mmcerror@@QEBAHXZ
?FromMMC@SC@mmcerror@@QEAAAEAV12@J@Z
?Clear@SC@mmcerror@@QEAAXXZ
?FindItem@BookKeeping@@SAPEAVItemHandle@@PEAX@Z
??1?$CEventLock@UAppEvents@@@@QEAA@XZ
??0?$CEventLock@UAppEvents@@@@QEAA@XZ
?Throw@SC@mmcerror@@QEAAXJ@Z
?Throw@SC@mmcerror@@QEAAXXZ
?FromWin32@SC@mmcerror@@QEAAAEAV12@J@Z
?MMCErrorBox@@YAHPEBGI@Z
?FatalError@SC@mmcerror@@QEBAXXZ
?IsError@SC@mmcerror@@QEBA_NXZ
?AddRef@CMMCStrongReferences@@SAKXZ
?Release@CMMCStrongReferences@@SAKXZ
?GetErrorMessage@SC@mmcerror@@QEBAXIPEAG@Z
?GetHelpID@SC@mmcerror@@QEAAKXZ
??8SC@mmcerror@@QEBA_NAEBV01@@Z
?MMCErrorBox@@YAHPEBGVSC@mmcerror@@I@Z
?FromLastError@SC@mmcerror@@QEAAAEAV12@XZ
?LastRefReleased@CMMCStrongReferences@@SA_NXZ
?GetHelpFile@SC@mmcerror@@SAPEBGXZ
?ScSetConsoleEventDispatcher@CConsoleEventDispatcherProvider@@SA?AVSC@mmcerror@@PEAVCConsoleEventDispatcher@@@Z
?SetMainThreadID@SC@mmcerror@@SAXK@Z
?SetHWnd@SC@mmcerror@@SAXPEAUHWND__@@@Z
??8SC@mmcerror@@QEBA_NJ@Z
?MMCErrorBox@@YAHVSC@mmcerror@@I@Z
?ScFromMMC@@YA?AVSC@mmcerror@@J@Z
GetComObjectEventSource
??BSC@mmcerror@@QEBA_NXZ
?MMCErrorBox@@YAHII@Z
GetEventBuffer
MMCUpdateRegistry
?ToHr@SC@mmcerror@@QEBAJXZ
??4SC@mmcerror@@QEAAAEAV01@J@Z
??0SC@mmcerror@@QEAA@AEBV01@@Z
??4SC@mmcerror@@QEAAAEAV01@AEBV01@@Z
?SetFunctionName@SC@mmcerror@@QEAAXPEBG@Z
?LKResult2HRESULT@BookKeeping@@SAJ_J@Z

ole32

CLSIDFromProgID
OleLockRunning
StringFromCLSID
CoTaskMemAlloc
CoGetClassObject
DoDragDrop
RegisterDragDrop
RevokeDragDrop
CreateStreamOnHGlobal
GetHGlobalFromStream
ProgIDFromCLSID
CoTaskMemFree
CoRevokeClassObject
OleUninitialize
CoFreeUnusedLibraries
OleInitialize
CoRegisterClassObject
CoCreateInstance
CoDisconnectObject
CLSIDFromString
CoGetMalloc
CreateILockBytesOnHGlobal
StgOpenStorageOnILockBytes
StringFromGUID2
CoCreateGuid
OleRun

shlwapi

ord500
ord225
ord176
ord503
PathFindFileNameW

uxtheme

IsThemeActive
OpenThemeData
DrawThemeBackground
CloseThemeData
SetWindowTheme
IsAppThemed

duser

SetGadgetStyle
GetGadgetRect

api-ms-win-core-registry-l1-1-0

RegOpenKeyExW
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegOpenKeyExA
RegQueryValueExA
RegCloseKey

kernel32

ResolveDelayLoadedAPI
GetCurrentThreadId
GetCommandLineW
OutputDebugStringW
CompareStringW
lstrcmpW
GetFullPathNameW
GetLastError
GetLongPathNameW
ExpandEnvironmentStringsW
CreateProcessW
CloseHandle
ReleaseActCtx
ExpandEnvironmentStringsA
FreeLibrary
GlobalReAlloc
ReadFile
CreateDirectoryW
GetModuleHandleA
FormatMessageW
HeapCreate
QueryPerformanceCounter
SleepConditionVariableSRW
WakeAllConditionVariable
AcquireSRWLockExclusive
ReleaseSRWLockExclusive
TerminateProcess
SetUnhandledExceptionFilter
UnhandledExceptionFilter
GetStartupInfoW
LocalFree
InterlockedPopEntrySList
InterlockedPushEntrySList
FlushInstructionCache
DecodePointer
EncodePointer
LoadLibraryExA
DelayLoadFailureHook
HeapFree
GetProcessHeap
HeapAlloc
GetFileSize
FindClose
FindNextFileW
FindFirstFileW
lstrcmpiW
GlobalAlloc
GlobalLock
RaiseException
GlobalUnlock
GetTickCount
GlobalFree
Sleep
FindResourceW
LoadLibraryExW
WriteFile
DeleteAtom
AddAtomW
GetCurrentProcessId
GetFileMUIPath
GetFileTime
CreateFileW
GetSystemTimeAsFileTime
VirtualQuery
VirtualAlloc
VirtualProtect
DeleteFileW
SetCurrentDirectoryW
lstrcpyW
SetProcessInformation
GetSystemDirectoryW
HeapDestroy
lstrlenW
GetVersionExW
OutputDebugStringA
QueryActCtxW
GetModuleHandleExW
GetModuleFileNameW
CreateActCtxW
FindActCtxSectionStringW
ActivateActCtx
LoadLibraryW
DeactivateActCtx
SetLastError
LeaveCriticalSection
EnterCriticalSection
DeleteCriticalSection
InitializeCriticalSection
GetSystemInfo
GetCurrentDirectoryW
GetFileAttributesW
GetCurrentProcess
GetProcAddress
GetModuleHandleW
VirtualFree

Sections

.text
Size: 943KB - Virtual size: 942KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 497KB - Virtual size: 496KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 35KB - Virtual size: 42KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.pdata
Size: 52KB - Virtual size: 52KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.didat
Size: 1KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 274KB - Virtual size: 273KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 14KB - Virtual size: 14KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

b8ee2d6252332a68b70b22e3d6e377d2

Headers

DLL Characteristics

File Characteristics

Imports

gdi32

user32

mfc42u

msvcrt

ntdll

mmcbase

ole32

shlwapi

uxtheme

duser

api-ms-win-core-registry-l1-1-0

kernel32

Sections

.text Size: 943KB - Virtual size: 942KB

.rdata Size: 497KB - Virtual size: 496KB

.data Size: 35KB - Virtual size: 42KB

.pdata Size: 52KB - Virtual size: 52KB

.didat Size: 1KB - Virtual size: 1KB

.rsrc Size: 274KB - Virtual size: 273KB

.reloc Size: 14KB - Virtual size: 14KB

.text
Size: 943KB - Virtual size: 942KB

.rdata
Size: 497KB - Virtual size: 496KB

.data
Size: 35KB - Virtual size: 42KB

.pdata
Size: 52KB - Virtual size: 52KB

.didat
Size: 1KB - Virtual size: 1KB

.rsrc
Size: 274KB - Virtual size: 273KB

.reloc
Size: 14KB - Virtual size: 14KB