IP Address: 104.196.120.198Previously Malicious
IP Address: 104.196.120.198Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
NetBIOS SMB HTTP |
Tags |
Service Start Service Creation Post Reboot Rename Service Configuration HTTP Service Stop Download and Execute File Operation By CMD DNS Poisoning NetBIOS Access Suspicious Domain Service Deletion Outgoing Connection Scheduled Task Creation Malicious File Download File DNS Query IDS - A Network Trojan was detected CMD System File Modification |
Associated Attack Servers |
2.indexsinas.me avidynsumen.com dincerteknoloji.com.tr krline.net newflex.co.kr softsyshosting.com superonline.net v4.ipv6-test.com 217.219.199.47 112.166.114.83 61.105.174.250 112.216.22.202 173.248.135.141 121.78.116.76 114.30.227.8 115.89.179.114 185.50.68.49 155.138.137.121 210.90.186.195 103.79.53.18 43.239.110.83 110.78.210.147 59.29.151.193 91.93.33.26 108.58.180.52 211.255.17.17 172.107.159.162 58.230.118.96 110.10.178.151 1.234.209.2 173.248.129.151 185.85.237.210 1.252.62.45 |
IP Address |
104.196.120.198 |
|
Domain |
- |
|
ISP |
Google Cloud |
|
Country |
United States |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-09-27 |
Last seen in Akamai Guardicore Segmentation |
2021-07-10 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
IDS detected A Network Trojan was detected : Possible DOUBLEPULSAR Beacon Response |
IDS - A Network Trojan was detected |
Process c:\windows\system32\lsass.exe attempted to access suspicious domains: 2.indexsinas.me |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\lsass.exe generated outgoing network traffic to: 210.90.186.195:811 |
Outgoing Connection |
System file C:\WINDOWS\c64.exe was modified 25 times |
System File Modification |
IDS detected A Network Trojan was detected : Possible ETERNALROMANCE MS17-010 |
IDS - A Network Trojan was detected |
The file c:\Windows\c64.exe was downloaded and executed |
Download and Execute |
C:\WINDOWS\Fonts\Mysql\mance.exe was identified as malicious by YARA according to rules: Apt Eqgrp Apr17 |
Malicious File |
C:\WINDOWS\Fonts\Mysql\puls.exe was identified as malicious by YARA according to rules: Apt Eqgrp Apr17 |
Malicious File |
The file C:\WINDOWS\Temp\xsfxdel~.exe was downloaded and executed 2 times |
Download and Execute |
c:\windows\temp\xsfxdel~.exe was deleted by c:\windows\c64.exe ( pending reboot ) 3 times |
Post Reboot Rename |
System file c:\Windows\86.exe was modified 4 times |
System File Modification |
The file C:\WINDOWS\Fonts\Mysql\svchost.exe was downloaded and executed |
Download and Execute |
The command line C:\Windows\Fonts\Mysql\nei.bat was scheduled to run by modifying C:\WINDOWS\Tasks\At1.job |
|
The file C:\WINDOWS\iexplore.exe was downloaded and executed |
Download and Execute |
The command line C:\Windows\Fonts\Mysql\wai.bat was scheduled to run by modifying C:\WINDOWS\Tasks\At2.job |
|
Service Browser was stopped |
Service Stop |
DNS poisoning detected, with hostname donate.v2.darks.xyz , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname pool.minexmr.com , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname donate.v2.kiss58.org , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname donate.v2.googel-dns.com , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname pool.bulehero.in , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname sg.minexmr.com , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname donate.v2.darks.xyz , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname pool.minexmr.com , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname donate.v2.kiss58.org , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname donate.v2.googel-dns.com , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname pool.bulehero.in , and associated IP address 103.18.244.217 |
|
DNS poisoning detected, with hostname sg.minexmr.com , and associated IP address 103.18.244.217 |
|
System file C:\WINDOWS\system32\drivers\etc\hosts was modified |
System File Modification |
The file C:\WINDOWS\c64.exe was downloaded and executed |
Download and Execute |
The file c:\windows\fonts\mysql\ctfmon.exe was downloaded and executed |
Download and Execute |
The file C:\WINDOWS\Fonts\svchost.exe was downloaded and executed 5 times |
Download and Execute |
c:\windows\system32\services.exe installed and started c:\windows\fonts\svchost.exe as a service named MicrosotMaims under service group None |
Service Start Service Creation |
The file C:\WINDOWS\Fonts\conhost.exe was downloaded and executed |
Download and Execute |
The file c:\Windows\86.exe was downloaded and executed |
Download and Execute |
Connection was closed due to user inactivity |
|
c:\windows\system32\services.exe installed %systemroot%\system32\svchost.exe as a service named serivces under service group None |
Service Creation |