IP Address: 122.176.53.77Malicious
IP Address: 122.176.53.77Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Bulk Files Tampering RDP Successful RDP Login File Operation By CMD User Created Download File System File Modification SMB CMD Successful SMB Login Human Outgoing Connection Access Suspicious Domain SMB Brute Force User Added to Group Turn Off DEP Service Start SMB Null Session Login SMB Share Connect DNS Query Service Creation Service Deletion |
Associated Attack Servers |
accounts.google.com clients1.google.com clients2.google.com clients4.google.com redirector.gvt1.com ssdcloudindia.net ssl.gstatic.com tools.google.com translate.googleapis.com www.googleapis.com www.google.com www.gstatic.com |
IP Address |
122.176.53.77 |
|
Domain |
- |
|
ISP |
- |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2024-06-09 |
Last seen in Akamai Guardicore Segmentation |
2024-08-16 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
c:\windows\system32\services.exe installed and started %comspec% as a service named nuouwpAE under service group None |
Service Start Service Creation |
User Ven was created with the password ********* added to groups: Administrators and logged in using RDP and SMB |
User Added to Group User Created Successful RDP Login Successful SMB Login |
System file C:\WINDOWS\Temp\vCyGGwmrUoxZINZR.bat was modified 4 times |
System File Modification |
c:\windows\system32\services.exe installed and started %comspec% as a service named msvWdzAP under service group None |
Service Start Service Creation |
System file C:\WINDOWS\Temp\hbPGztFdFShqEWMT.bat was modified 4 times |
System File Modification |
A user logged in using RDP with the following credentials: Ven / ********* - Authentication policy: Correct Password |
Successful RDP Login |
Service MSIServer was started |
Service Start |
A user logged in using SMB from SERVER with the following username: Ven - Authentication policy: Correct Password (Part of a Brute Force Attempt) 2 times |
SMB Brute Force Successful SMB Login |
Process c:\program files\google\chrome\application\chrome.exe attempted to access domains: accounts.google.com, clients1.google.com, clients2.google.com, clients4.google.com, ssl.gstatic.com, tools.google.com, translate.googleapis.com, www.google.com, www.googleapis.com and www.gstatic.com |
DNS Query |
Process c:\program files\google\chrome\application\chrome.exe generated outgoing network traffic to: 164.52.209.106:8080 |
Outgoing Connection |
Process c:\program files\google\chrome\application\chrome.exe attempted to access suspicious domains: redirector.gvt1.com |
DNS Query Access Suspicious Domain Outgoing Connection |
C:\Documents and Settings\Ven\Win32.zip was downloaded |
Download File |
Connection was closed due to timeout |
|
Process c:\windows\system32\winlogon.exe performed bulk changes in {c:\documents and settings\ven} on 27 files |
Bulk Files Tampering |
Process c:\program files\google\chrome\application\chrome.exe performed bulk changes in {c:\documents and settings\ven\local settings\application data\google\chrome\user data} on 43 files |
Bulk Files Tampering |
C:\Documents and Settings\Ven\Desktop\1\mimikatz_trunk.zip |
SHA256: 92c2e718bd35d8454d3f1314610ebf57cc6512a8a03dd6f2276b61fd091ff6f8 |
1227093 bytes |
C:\Documents and Settings\Ven\Win32.zip |
SHA256: 9e60c0a347f19025bfe463859074b7b3d65270017fc2ef5d9ac495906b350735 |
576664 bytes |
C:\Documents and Settings\Ven\Desktop\mimikatz_trunk.zip |
SHA256: c3b08fc16203bd71b7f943b19da8e7dfc09b9e5b65e709ac8b00a20fb32a8616 |
1227093 bytes |
C:\Documents and Settings\Ven\Desktop\Win32.zip |
SHA256: caf5177cf80228233a36c8aea09930e378e11e1d22516d96442698feb9b0d263 |
576664 bytes |
C:\Documents and Settings\Ven\Desktop\1\EternalBlue1473.exe |
SHA256: e06b57545b8432245443a297be9f255a35b22e16a4c965b5d1cd4fb86a6a6e23 |
1507840 bytes |