EchoTrail

mshta.exe

Author: Microsoft

Source: Wild

Summary

Mshta.exe is used to execute an HTML Application (HTA). An HTA is a Microsoft Windows program whose source code consists of HTML, Dynamic HTML, and one or more scripting languages supported by Internet Explorer, such as VBScript or JScript.

EchoTrail Prevalence Score (EPS)

31.96

Rank Analysis

Host Prevalence

5.3%

Execution Rank

2,655th

Behavioral Analysis

Top Hashes

355beb0ff255e495bba836298f79ff980f8375c981b824de054fb7b9f1f29286

28.57 %

Top Paths

C:\Windows\SysWOW64

80.14 %

Top Network Ports

443

66.13 %

Ancestry Analysis

Top GrandParents

explorer.exe

39.42 %

Top Parents

HP DeskJet 3630 series.exe

22.70 %

Top Children

HPPAHelper.exe

28.87 %

Security Analysis

Intel

Mshta.exe isn't normally launched by shells. When this does happen, it's possible an attacker is attempting to abuse mshta's ability to run arbitrary scripts and make network connections. Sigma Detection Rule: https://github.com/SigmaHQ/sigma/blob/eb382c4a59b6d87e186ee269805fe2db2acf250e/rules/windows/process_creation/win_shell_spawn_mshta.yml