IP Address: 223.74.196.59Previously Malicious
IP Address: 223.74.196.59Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
RDP |
Tags |
Service Start Service Creation Post Reboot Rename Service Configuration HTTP Executable File Modification Successful RDP Login Download and Execute Human Access Suspicious Domain File Operation By CMD Outgoing Connection Download File DNS Query CMD RDP System File Modification |
Associated Attack Servers |
alt1-safebrowsing.google.com bd.pc2345.cn hao.360.com www.49.232.144.22.edu www.49.232.144.22.org www.bing.com 23.249.20.75 42.113.189.34 42.113.194.240 49.232.144.22 110.185.171.182 111.14.212.52 |
IP Address |
223.74.196.59 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-05-31 |
Last seen in Akamai Guardicore Segmentation |
2021-05-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using RDP with the following credentials: Administrator / ****** - Authentication policy: White List |
Successful RDP Login |
Process c:\program files\internet explorer\iexplore.exe attempted to access domains: go.microsoft.com, iecvlist.microsoft.com, ieonline.microsoft.com and www.bing.com |
DNS Query |
Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access domains: www.bing.com |
DNS Query |
Process NetworkService Service Group attempted to access domains: iecvlist.microsoft.com and www.bing.com |
DNS Query |
Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access suspicious domains: www.49.232.144.22.com, www.49.232.144.22.edu, www.49.232.144.22.net and www.49.232.144.22.org |
DNS Query Access Suspicious Domain |
C:\Users\Administrator\AppData\Local\Microsoft\Internet Explorer\Tiles\pin-314712940\browserconfig.xml was downloaded |
Download File |
Process c:\program files\internet explorer\iexplore.exe attempted to access domains: iecvlist.microsoft.com, ieonline.microsoft.com and www.bing.com |
DNS Query |
Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access domains: hao.360.com |
DNS Query |
Process c:\program files (x86)\internet explorer\iexplore.exe attempted to access suspicious domains: bd.pc2345.cn |
DNS Query Access Suspicious Domain |
Executable file C:\server.exe was modified |
Executable File Modification |
The file c:\windows\server.exe was downloaded and executed 3 times |
Download and Execute |
Process c:\windows\windowsupdate\bglwqhbfu.exe generated outgoing network traffic to: 49.232.144.22:52 |
Outgoing Connection |
The file C:\Windows\WindowsUpdate\fnrkdbd.exe was downloaded and executed |
Download and Execute |
System file C:\Windows\AppCompat\Programs\Amcache.hve was modified |
System File Modification |
c:\windows\system32\services.exe installed and started c:\windows\svchost.exe as a service named Bcdefg under service group None |
Service Start Service Creation |
Process c:\windows\svchost.exe attempted to access suspicious domains: 49.232.144.22 |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\svchost.exe generated outgoing network traffic to: 49.232.144.22:6875 |
Outgoing Connection |
c:\windows\syswow64\489828.bak was deleted by c:\windows\syswow64\urlmon.dll ( pending reboot ) |
Post Reboot Rename |
c:\windows\syswow64\489828.bak was deleted by c:\windows\syswow64\msvcp60.dll ( pending reboot ) 2 times |
Post Reboot Rename |
The file C:\Windows\WindowsUpdate\tmhxgfythdi.exe was downloaded and executed |
Download and Execute |
Connection was closed due to timeout |
|