Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 96.241.201.20Malicious

IP Address: 96.241.201.20Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

IDS - Attempted Administrator Privilege Gain IDS - A Network Trojan was detected Outgoing Connection Access Suspicious Domain DNS Query SMB Null Session Login PowerShell CMD Scheduled Task Creation SMB Known Malware File Operation By CMD MS17-010

Associated Attack Servers

neachers.com shell.loader0807.site

77.73.69.34 103.106.250.161 139.5.177.32 144.208.127.215 185.47.128.124

Basic Information

IP Address

96.241.201.20

Domain

-

ISP

Verizon Fios Business

Country

United States

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2019-12-05

Last seen in Akamai Guardicore Segmentation

2024-09-27

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

IDS detected Attempted Administrator Privilege Gain : Windows SMB remote code execution attempt

IDS - Attempted Administrator Privilege Gain

PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe

The machine was exploited using the ms17-010 vulnerability

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 103.106.250.161:8161, 139.5.177.32:80, 139.5.177.32:8032, 144.208.127.215:8080 and 77.73.69.34:8034

Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: neachers.com and shell.loader0807.site

Outgoing Connection DNS Query Access Suspicious Domain

The command line c:\windows\temp\conhoy.exe was scheduled to run by modifying C:\Windows\System32\Tasks\MicrosoftsWindowsy

Connection was closed due to user inactivity