IP Address: 110.138.151.230Previously Malicious
IP Address: 110.138.151.230Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Service Stop Download File Service Deletion SMB Null Session Login Download and Execute Successful SMB Login Outgoing Connection Persistency - Logon Access Share DNS Query Cookie Hijacking SMB IDS - A Network Trojan was detected Service Creation Service Start Access Suspicious Domain Access Violation SMB Share Connect Listening Execute from Share CMD |
Associated Attack Servers |
IP Address |
110.138.151.230 |
|
Domain |
- |
|
ISP |
PT Telkom Indonesia |
|
Country |
Indonesia |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-11-10 |
Last seen in Akamai Guardicore Segmentation |
2022-11-10 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password |
Successful SMB Login |
C:\zrTTfECW.exe was downloaded |
Download File |
zrttfecw.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\zrttfecw.exe as a service named aSjY under service group None |
Service Start Service Creation |
Service aSjY was stopped |
Service Stop |
c:\windows\system32\services.exe installed and started cmd as a service named CVZV under service group None |
Service Start Service Creation |
IDS detected A Network Trojan was detected : WMIC WMI Request Over SMB - Likely Lateral Movement |
IDS - A Network Trojan was detected |
The file C:\installed2.exe was downloaded and executed |
Download and Execute |
c:\windows\system32\services.exe installed and started cmd as a service named RWvL under service group None |
Service Start Service Creation |
The file C:\WINDOWS\Temp\svchost.exe was downloaded and executed 2 times |
Download and Execute |
Process c:\installed2.exe started listening on ports: 65533 |
Listening |
Service RWvL was stopped |
Service Stop |
The file C:\WINDOWS\Temp\_MEI13682\python27.dll was downloaded and loaded by c:\windows\temp\svchost.exe |
Download and Execute |
The file C:\WINDOWS\Temp\_MEI13682\msvcr90.dll was downloaded and loaded by c:\windows\temp\_mei13682\msvcr90.dll |
Download and Execute |
Process c:\windows\temp\svchost.exe started listening on ports: 60124 |
Listening |
Process c:\installed2.exe attempted to access suspicious domains: i.haqo.net and p.abbny.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\installed2.exe generated outgoing network traffic to: 72.52.178.23:80 |
Outgoing Connection |
c:\windows\temp\ttt.exe set the command line C:\WINDOWS\system32\wmiex.exe to run using Persistency - Logon |
Persistency - Logon |
Connection was closed due to timeout |
|
c:\windows\system32\drivers\svchost.exe |
SHA256: 9e0a6e933b04129d24f9e64c03c8908986a6faae787cebac6be444b4000b287b |
201776 bytes |
C:\WINDOWS\Temp\svchost.exe |
SHA256: e7f24ec49ffc81efc74806cb5c91ff7ffe35d521d20b237e99a2d09b1f561120 |
5525000 bytes |