Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 157.230.243.133Malicious

IP Address: 157.230.243.133Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SMB

Tags

Outgoing Connection SMB Null Session Login Download and Execute Service Creation MSRPC Service Start Service Deletion Access Suspicious Domain SMB CMD Successful SMB Login

Associated Attack Servers

121.in-addr.arpa 163data.com.cn 49-tataidc.co.in airtelbroadband.in airtel.in asianet.co.in asianet.co.th axntechnologies.in azedunet.az bcnb.ac.th bizhost.kr codetel.net.do collabefood.com conexaojknet.com.br dsl.net.pk eastern-tele.com edu.hu fariya.com gulfnet.com.kw hinet.net hwclouds-dns.com inidc.com.cn integraldeal.com ip-198-50-233.net iplannetworks.net ishannetsol.com isplko.com jlccptt.net.cn krisent.com link.net.id

1.0.233.67 1.20.143.58 1.53.74.166 1.54.120.96 1.222.207.69 1.240.81.27 1.248.75.8 2.88.156.227 2.90.254.183 5.43.243.233 5.150.64.46 5.189.63.238 14.97.236.198 14.134.110.211 14.139.121.242 14.140.164.251 14.157.138.127 14.157.138.223 14.171.49.128 14.190.228.4 14.192.148.53 14.215.107.78 14.224.144.29 14.226.78.134 14.229.44.173 14.232.152.131 14.235.58.202 14.241.48.239 14.246.97.196 14.246.141.140

Basic Information

IP Address

157.230.243.133

Domain

-

ISP

Digital Ocean

Country

Singapore

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2022-11-09

Last seen in Akamai Guardicore Segmentation

2023-03-14

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC03 under service group None

Service Start Service Creation

Service MSIServer was started

Service Start

Process c:\windows\system32\msiexec.exe generated outgoing network traffic to: 112.78.181.170:16168, 14.134.110.211:16776, 157.230.243.133:12687 and 23.94.203.148:14093

Outgoing Connection

Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: krisent.com

Access Suspicious Domain Outgoing Connection

The file C:\WINDOWS\Installer\MSI3.tmp was downloaded and loaded by c:\windows\system32\msiexec.exe

Download and Execute

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC06 under service group None

Service Start Service Creation

The file C:\WINDOWS\Installer\MSI7.tmp was downloaded and loaded by c:\windows\installer\msi7.tmp

Download and Execute

The file C:\WINDOWS\Installer\MSIF.tmp was downloaded and loaded by c:\windows\system32\msiexec.exe

Download and Execute

The file C:\WINDOWS\Installer\MSI10.tmp was downloaded and loaded by c:\windows\system32\msiexec.exe

Download and Execute

The file C:\WINDOWS\Installer\MSI13.tmp was downloaded and loaded by c:\windows\system32\msiexec.exe

Download and Execute

Connection was closed due to timeout

Associated Files

C:\Windows\Installer\MSI23F.tmp

SHA256: 6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

144896 bytes