IP Address: 206.84.104.110Malicious
IP Address: 206.84.104.110Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL MYSQL |
Tags |
System File Modification Download and Execute Execute MsSql Shell Command File Operation By CMD Outgoing Connection Service Configuration Successful MSSQL Login PowerShell DNS Query Post Reboot Rename MSSQL CMD Access Suspicious Domain SMB IDS - Attempted User Privilege Gain Persistency - Print Monitors |
Associated Attack Servers |
IP Address |
206.84.104.110 |
|
Domain |
- |
|
ISP |
- |
|
Country |
Indonesia |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2023-04-14 |
Last seen in Akamai Guardicore Segmentation |
2024-07-18 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using MSSQL with the following credentials: sa / ***** - Authentication policy: Reached Max Attempts |
Successful MSSQL Login |
MSSQL executed 1 shell commands |
Execute MsSql Shell Command |
Process c:\windows\system32\wscript.exe attempted to access suspicious domains: down.ftp21.cc |
DNS Query Access Suspicious Domain |
IDS detected Attempted User Privilege Gain : SQL sp_configure - configuration change |
IDS - Attempted User Privilege Gain |
IDS detected Attempted User Privilege Gain : xp_reg* - registry access |
IDS - Attempted User Privilege Gain |
IDS detected Attempted User Privilege Gain : xp_cmdshell - program execution |
IDS - Attempted User Privilege Gain |
c:\windows\temp\httpa.exe set the command line C:\Windows\Logs\RunDllExe.dll to run using Persistency - Print Monitors |
Persistency - Print Monitors |
c:\programdata\httpa.exe set the command line C:\Windows\Logs\RunDllExe.dll to run using Persistency - Print Monitors |
Persistency - Print Monitors |
System file C:\Windows\AppCompat\Programs\Amcache.hve was modified 4 times |
System File Modification |
The file C:\Windows\Logs\RunDllExe.dll was downloaded and loaded by c:\windows\system32\spoolsv.exe |
Download and Execute |
Process c:\windows\syswow64\svchost.exe attempted to access suspicious domains: wmi.362-com.com |
DNS Query Outgoing Connection Access Suspicious Domain |
Process c:\windows\syswow64\svchost.exe generated outgoing network traffic to: 211.57.200.17:53 |
Outgoing Connection |
c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\odsole70.dll was deleted by c:\windows\temp\httpa.exe ( pending reboot ) |
Post Reboot Rename |
c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\odsole70.dll was deleted by c:\programdata\httpa.exe ( pending reboot ) 2 times |
Post Reboot Rename |
PowerShell session started by c:\windows\system32\reg.exe |
|
PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe 2 times |
|
The file C:\Windows\Temp\Win8.exe was downloaded and executed |
Download and Execute |
The file C:\ProgramData\Win8.exe was downloaded and executed |
Download and Execute |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: down.ftp21.cc |
DNS Query Outgoing Connection Access Suspicious Domain |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: down.ftp21.cc 2 times |
DNS Query Outgoing Connection Access Suspicious Domain |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 115.23.223.72:80 |
Outgoing Connection |
Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 115.23.223.72:80 2 times |
Outgoing Connection |
Process c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe attempted to access suspicious domains: down.ftp21.cc |
DNS Query Outgoing Connection Access Suspicious Domain |
Process c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe generated outgoing network traffic to: 115.23.223.72:80 |
Outgoing Connection |
IDS detected Attempted User Privilege Gain : sp_start_job - program execution |
IDS - Attempted User Privilege Gain |
Connection was closed due to user inactivity |
|
/usr/local/mysql/lib/plugin/LinuxUDF32.SO |
SHA256: 2789f4dbbcdeb8ebff855829c734fad4e466fdd736d441e62888b8de5bc31826 |
5696 bytes |
/usr/local/mysql/lib/plugin/zzwszv32.so |
SHA256: 681c6aa7782eb7780ea4d0745ba9dfd0c20cd363e3f2976f7e76fe13984d364d |
8128 bytes |
C:\Windows\Logs\RunDllExe.dll |
SHA256: a70e9e61242f28f1946084e67f6e2db7e2974e22da56a629b086e6c13241782b |
174772 bytes |