IP Address: 60.219.25.184Previously Malicious
IP Address: 60.219.25.184Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
RDP SCP |
Tags |
Service Creation Access Suspicious Domain Known Malware Execute from Share Service Start DNS Query Service Configuration RDP Service Deletion Morto Successful RDP Login Service Stop Port 3389 Scan |
Associated Attack Servers |
ae2am1.shop qwest.net sprious.com zsttk.net 1.185.179.245 36.75.66.175 41.126.26.98 42.187.188.106 50.189.61.162 66.146.238.188 88.90.125.209 94.251.103.185 97.115.204.123 106.70.131.181 114.132.230.151 114.156.38.243 117.50.179.71 120.150.60.241 120.236.74.234 123.13.155.101 139.213.45.109 160.130.135.161 182.55.186.222 191.242.188.103 211.162.184.120 213.255.16.156 216.18.96.108 220.179.231.254 |
IP Address |
60.219.25.184 |
|
Domain |
- |
|
ISP |
China Unicom Liaoning |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-04-14 |
Last seen in Akamai Guardicore Segmentation |
2020-06-04 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using RDP with the following credentials: administrator / **** - Authentication policy: White List |
Successful RDP Login |
a.dll was loaded from the remote share \\tsclient\a by c:\windows\system32\rundll32.exe |
Execute from Share |
Service Ias was created and started |
Service Start Service Creation |
Process c:\windows\temp\ntshrui.dll attempted to access suspicious domains: dos1.jifr.net, flt1.jifr.net, ms.jifr.info, ms.jifr.net and ss.jifr.net 15 times |
DNS Query Access Suspicious Domain |
Service Ias was stopped |
Service Stop |
Process c:\windows\temp\ntshrui.dll attempted to access domains: ms.jifr.co.cc 15 times |
DNS Query |
Process c:\windows\temp\ntshrui.dll generated outgoing network traffic to: 192.168.8.10:3389, 192.168.8.11:3389, 192.168.8.12:3389, 192.168.8.13:3389, 192.168.8.1:3389, 192.168.8.2:3389, 192.168.8.3:3389, 192.168.8.4:3389, 192.168.8.5:3389, 192.168.8.6:3389, 192.168.8.7:3389, 192.168.8.8:3389, 192.168.8.9:3389 and 74.125.71.104:80 15 times |
|
Process c:\windows\temp\ntshrui.dll scanned port 3389 on 13 IP Addresses 15 times |
Port 3389 Scan |