SOC164 — Suspicious Mshta Behavior EventID: 114 @ LetsDefend.io walkthrough

By Secnimi

Hopefully I have fulfilled the request of Omer Gunal, Co-Founder of LetsDefend.io to show the right solution and steps for this investigation. This walkthrough is following the playbook (with few screen shots short).

Lets dive in the playbook right the way.

Go to the Monitoring page…for this case investigation, the useful information are color marked here.

Let’s go to Virustotal to check the ps1.hta md5 hash. The file with the file hash has been flagged 27/60 as malicious.

Just want to double check, I went to hybrid analysis to check the file hash. It is marked as malicious as well.

Now, lets go to the EndPoint Security to check the host: Roberto @ 172.16.17.38

Under the Command History, we can see the the Mshta.exe command ran and then Ps1.hta ran on 10:29 am on March 5th. Following that, in the next minute, the powershell.exe ran. And the request of contacting 193.142.58.23 for the Server.txt file can be found with the powershell command execution.

*pssss…Yes, I know, the year is incorrect…it should be 2022 instead. But, let’s run with this one for now.

Under the Network Connections, it is certain that the host had contacted the 192.142.58.23 on March 5th, 10:29.

*Yes, here the year is still incorrect. We will double check the year in the Log Management.

Under the Process List, we can also find mshta.exe process and also the child process of mshta.exe: powershell.exe

Now, go to the Log Management, check the communication between the host and the C2: 193.142.58.23

We can see Mar 5th, 2022, 10:29AM, the host contacted the C2. And from the raw log, we see it sent the request as in the powershell execution.

From the raw log of C2 response to the host request. Luckily, it is a 404 message.

Most of our investigation is finished. Let’s continue with the playbook…

Yes, suspicious for sure

Don’t forget to check the LOLBAS Project. It has the answer to the next questions.

If anything in doubt about the execute of powershell instead, check the link of MITRE ATT&CK T1218.005: Mshta.

Here are the questions that we already found the answers in the LOLBAS Project.

Aha, Execute, it is!

Yes, the user did it.

Yes. it is malicious. So we need to put the host into containment.

Here are the artifacts that we have for this case. I forgot to put in the request of URL address. http:// 193.142.58.23/Server.txt

Well, here is my conclusion for this case.

Finally, close the case. Surely, select TRUE POSITIVE and put in the final note.

This is the first time I did a walkthrough. It is kinda fun.