Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 200.75.2.138Malicious

IP Address: 200.75.2.138Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

File Operation By CMD Download and Execute Service Configuration Post Reboot Rename Service Stop Service Creation MSRPC Service Start Service Deletion System Shutdown SMB Successful MSRPC Login CMD Successful SMB Login

Associated Attack Servers

163data.com.cn adyl.net.br airtelbroadband.in airtel.in as270353.com.br asianet.co.in asianet.co.th axntechnologies.in bsnl.in cmcti.vn fiberltd.net frontiernet.net hwclouds-dns.com jlccptt.net.cn kpn.net newnetprovedor.net.br prod-empresarial.com.mx ptl.ru speedy.net.pe totinternet.net tus.net.id virtua.com.br zephyr.com.pk

1.197.79.9 1.248.75.8 23.224.230.206 27.188.64.243 31.10.14.234 36.136.95.158 38.55.23.21 39.152.139.205 41.87.1.102 45.122.246.64 45.143.138.127 45.160.67.163 46.146.220.129 47.190.115.94 58.19.176.50 58.220.81.34 58.221.101.138 58.240.33.194 59.11.209.222 59.47.5.55 60.15.204.34 61.91.109.231 61.147.107.100 61.178.26.173 61.181.65.245 61.190.15.81 61.247.233.134 64.227.45.107 66.98.8.233 77.60.97.107

Basic Information

IP Address

200.75.2.138

Domain

-

ISP

Gtd Internet S.A.

Country

Chile

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2022-11-13

Last seen in Akamai Guardicore Segmentation

2024-06-21

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC01 under service group None

Service Creation Service Start

Service msiserver was started

Service Start

The file C:\Windows\Installer\MSI1EA0.tmp was downloaded and loaded by c:\windows\installer\msi1ea0.tmp

Download and Execute

The file C:\Windows\Installer\MSI1EFE.tmp was downloaded and loaded by c:\windows\installer\msi1efe.tmp

Download and Execute

A user logged in using MSRPC from POS-EUDLP-C1 with the following username: administrator - Authentication policy: Previously Approved User

Successful MSRPC Login

The file C:\Windows\Installer\MSI1F2E.tmp was downloaded and loaded by c:\windows\installer\msi1f2e.tmp

Download and Execute

The file C:\Windows\Installer\MSI1F4E.tmp was downloaded and loaded by c:\windows\installer\msi1f4e.tmp

Download and Execute

c:\windows\apppatch\acpsens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was renamed to c:\windows\apppatch\acpsens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\setupact64.log was renamed to c:\windows\system32\sens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\msiexec.exe attempted shutdown of type Shut down the system and then restarted it, as well as any applications that have been registered for restart, Shut down the system and then restarted the system with reason: Unspecified

System Shutdown

c:\windows\system32\winlogon.exe attempted shutdown of type Shut down the system and then restarted it, as well as any applications that have been registered for restart, Shut down the system and then restarted the system, Shut down the system to a point at which it is safe to turn off the power with reason: Unspecified

System Shutdown

c:\windows\system32\wininit.exe attempted shutdown of type Shut down the system and then restarted the system, Shut down the system to a point at which it is safe to turn off the power with reason: Unspecified

System Shutdown

Service UmRdpService was stopped

Service Stop

Service PlugPlay was stopped

Service Stop

Service SQLBrowser was stopped

Service Stop

Service SQLWriter was stopped

Service Stop

Service CertPropSvc was stopped

Service Stop

Service WinRM was stopped

Service Stop

Service EventLog was stopped

Service Stop

Service TermService was stopped

Service Stop

Service IKEEXT was stopped

Service Stop

Service Schedule was stopped

Service Stop

Service Dhcp was stopped

Service Stop

Service CryptSvc was stopped

Service Stop

Associated Files

/var/tmp/dota3.tar.gz

SHA256: 5f8d1def0982bde31d69b2bce5ecb483f108098de6f5fd73d8e3ff6784ce2f5b

2088960 bytes