IP Address: 49.207.184.99Malicious
IP Address: 49.207.184.99Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Service Creation DNS Query Download File Successful SMB Login SMB Share Connect Service Stop SMB Null Session Login Port 53 Scan Persistency - Logon Service Deletion NetBIOS SMB Listening Download and Execute |
Associated Attack Servers |
alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmail.com gmail-smtp-in.l.google.com |
IP Address |
49.207.184.99 |
|
Domain |
- |
|
ISP |
ACT Fibernet |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2018-06-24 |
Last seen in Akamai Guardicore Segmentation |
2023-10-21 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB from WIN2003SE with the following username: administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
C:\windows\stm8.inf was downloaded |
Download File |
c:\windows\system32\services.exe installed and started c:\windows\isass.exe as a service named wgautr under service group None |
Service Start Service Creation |
The file C:\WINDOWS\Isass.exe was downloaded and executed |
Download and Execute |
Process c:\windows\isass.exe attempted to access domains: alt1.gmail-smtp-in.l.google.com, alt2.gmail-smtp-in.l.google.com, alt3.gmail-smtp-in.l.google.com, alt4.gmail-smtp-in.l.google.com, gmail-smtp-in.l.google.com and gmail.com |
DNS Query |
Process c:\windows\isass.exe started listening on ports: 53 |
Listening |
Process c:\windows\isass.exe generated outgoing network traffic to: 111.0.196.91:53, 125.224.214.163:53, 139.196.14.149:53, 192.168.1.5:53, 192.168.1.9:53, 197.156.93.188:53, 211.241.159.138:53, 218.249.67.234:53, 42.121.195.236:53, 74.125.133.26:25 and 95.70.64.27:53 |
|
c:\windows\isass.exe set the command line c:\windows\Isass.exe %1 to run using Persistency - Logon |
Persistency - Logon |
Process c:\windows\isass.exe scanned port 53 on 10 IP Addresses |
Port 53 Scan |
Service wgautr was stopped |
Service Stop |
Connection was closed due to timeout |
|
C:\WINDOWS\Isass.exe |
SHA256: 014f7b048d290dc42eab70431e41e4fd25994a70827fc7ad90a2e811000cb145 |
70144 bytes |
C:\windows\stm8.inf |
SHA256: 05fd5fc660672d345a9a7505fb39c7c99477d02db0a5f8f7f9afb01b1c8cb659 |
92 bytes |