IP Address: 122.185.98.222Malicious
IP Address: 122.185.98.222Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Successful SMB Login System File Modification Access Suspicious Domain Service Configuration File Operation By CMD Download File MSRPC CMD SMB Share Connect Service Deletion Port 445 Scan Listening IDS - Attempted User Privilege Gain Service Creation Service Start Outgoing Connection Download and Execute SMB Null Session Login SMB |
Associated Attack Servers |
IP Address |
122.185.98.222 |
|
Domain |
- |
|
ISP |
Bharti Broadband |
|
Country |
India |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-11-24 |
Last seen in Akamai Guardicore Segmentation |
2023-05-13 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB from FXNB with the following username: Administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
A user logged in using SMB from HP-VJR0EFHHP62A with the following username: Administrator - Authentication policy: Previously Approved User |
Successful SMB Login |
c:\windows\system32\services.exe installed and started cmd.exe as a service named RPCEvent38364889 under service group None |
Service Start Service Creation |
IDS detected Attempted User Privilege Gain : DCERPC SVCCTL - Remote Service Control Manager Access |
IDS - Attempted User Privilege Gain |
A user logged in using SMB from HP-VJR0EFHHP62A with the following username: Administrator - Authentication policy: Previously Approved User |
Successful SMB Login |
c:\windows\system32\services.exe installed and started cmd.exe as a service named HelpEvent38364889 under service group None |
Service Start Service Creation |
System file C:\Windows\system32\FNPCASHE.DAT was modified |
System File Modification |
The file C:\Windows\system32\FNPCASHE.DAT was downloaded and executed |
Download and Execute |
c:\windows\system32\fnpcashe.dat installed and started %systemroot%\system32\scardprv.dll as a service named SCardPrv under service group None |
Service Start Service Creation |
The file C:\Windows\SysWOW64\scardprv.dll was downloaded and loaded by c:\windows\syswow64\scardprv.dll |
Download and Execute |
c:\windows\system32\fnpcashe.dat installed and started %systemroot%\system32\wmmvsvc.dll as a service named Wmmvsvc under service group None |
Service Start Service Creation |
The file C:\Windows\SysWOW64\Wmmvsvc.dll was downloaded and loaded by c:\windows\syswow64\wmmvsvc.dll |
Download and Execute |
Process c:\windows\syswow64\svchost.exe started listening on ports: 443 |
Listening |
Process c:\windows\syswow64\svchost.exe generated outgoing network traffic to: 122.55.13.34:1420 |
Outgoing Connection |
Process c:\windows\syswow64\svchost.exe attempted to access suspicious domains: pldt.net |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\syswow64\svchost.exe generated outgoing network traffic to: 34.165.240.10:445, 34.165.240.11:445, 34.165.240.12:445, 34.165.240.13:445, 34.165.240.14:445, 34.165.240.15:445, 34.165.240.16:445, 34.165.240.17:445, 34.165.240.18:445, 34.165.240.19:445, 34.165.240.1:445, 34.165.240.20:445, 34.165.240.21:445, 34.165.240.22:445, 34.165.240.23:445, 34.165.240.24:445, 34.165.240.25:445, 34.165.240.26:445, 34.165.240.27:445, 34.165.240.28:445, 34.165.240.29:445, 34.165.240.2:445, 34.165.240.30:445, 34.165.240.31:445, 34.165.240.32:445, 34.165.240.33:445, 34.165.240.34:445, 34.165.240.35:445, 34.165.240.36:445, 34.165.240.37:445, 34.165.240.38:445, 34.165.240.39:445, 34.165.240.3:445, 34.165.240.40:445, 34.165.240.41:445, 34.165.240.42:445, 34.165.240.43:445, 34.165.240.4:445, 34.165.240.5:445, 34.165.240.6:445, 34.165.240.7:445, 34.165.240.8:445 and 34.165.240.9:445 |
|
Process c:\windows\syswow64\svchost.exe scanned port 445 on 43 IP Addresses |
Port 445 Scan |
Connection was closed due to user inactivity |
|
C:\Windows\system32\FNPCASHE.DAT |
SHA256: 4131b38cd737157f274074a1202db75b06da43100f6ab8e606fd6d32f44f4c96 |
208896 bytes |
C:\WINDOWS\system32\FNPCASHE.DAT |
SHA256: 593c0debfad60899977f28bc9ae28b87d167124881982caa1d21ae0e22baf62d |
208896 bytes |
C:\WINDOWS\system32\mssscardprv.ax |
SHA256: 7c91cc050189b37eba51b02246890e9fb629f91d5f1f003d3d2209e91aa0e918 |
1352 bytes |
C:\WINDOWS\system32\FNPCASHE.DAT |
SHA256: 9fa22fa766270357592351b8783c9c2d8c5a75ec9423078f21fe8308addea363 |
208896 bytes |
C:\WINDOWS\system32\FNPCASHE.DAT |
SHA256: b0bb9b7288a249be4e8068d120677f073c10b182bc5c5f48662df666be63e886 |
208896 bytes |
C:\WINDOWS\system32\mssscardprv.ax |
SHA256: ef5780dcd4e6ce9a545ac2a82e55098a273cd5f96a7441f1330e1d40e7a8eb9d |
1352 bytes |