Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 122.54.185.163Previously Malicious

IP Address: 122.54.185.163Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Listening Service Start Access Share Service Creation Service Configuration Successful SMB Login SMB Brute Force SMB Null Session Login Download and Execute SMB Share Connect SMB Port 445 Scan Access Suspicious Domain Service Deletion Outgoing Connection Download File CMD RDP

Associated Attack Servers

74.187.198.198 74.187.198.213 181.89.139.248

Basic Information

IP Address

122.54.185.163

Domain

-

ISP

Philippine Long Distance Telephone

Country

Philippines

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2017-01-21

Last seen in Akamai Guardicore Segmentation

2021-06-25

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB from FXNB with the following username: Administrator - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

SMB Brute Force Successful SMB Login

A user logged in using SMB from B2BWS2003 with the following username: Administrator - Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

SMB Brute Force Successful SMB Login

c:\windows\system32\services.exe installed and started cmd.exe as a service named RPCEvent1576814312 under service group None

Service Start Service Creation

C:\WINDOWS\system32\mssscardprv.ax was downloaded

Download File

The file C:\WINDOWS\system32\FNPCASHE.DAT was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started cmd.exe as a service named HelpEvent1576814312 under service group None 2 times

Service Start Service Creation

c:\windows\system32\fnpcashe.dat installed and started %systemroot%\system32\scardprv.dll as a service named SCardPrv under service group SCardPrv

Service Start Service Creation

The file C:\WINDOWS\system32\scardprv.dll was downloaded and loaded by c:\windows\system32\scardprv.dll

Download and Execute

Process SCardPrv Service Group started listening on ports: 443

Listening

c:\windows\system32\fnpcashe.dat installed and started %systemroot%\system32\wmmvsvc.dll as a service named Wmmvsvc under service group Wmmvsvc

Service Start Service Creation

Process SCardPrv Service Group generated outgoing network traffic to: 181.89.139.248:80

Outgoing Connection

Process SCardPrv Service Group attempted to access suspicious domains: telecom.net.ar

Access Suspicious Domain Outgoing Connection

The file C:\WINDOWS\system32\Wmmvsvc.dll was downloaded and loaded by c:\windows\system32\wmmvsvc.dll

Download and Execute

Process Wmmvsvc Service Group generated outgoing network traffic to: 192.168.10.10:445, 192.168.10.11:445, 192.168.10.12:445, 192.168.10.13:445, 192.168.10.14:445, 192.168.10.15:445, 192.168.10.16:445, 192.168.10.17:445, 192.168.10.18:445, 192.168.10.19:445, 192.168.10.1:445, 192.168.10.20:445, 192.168.10.21:445, 192.168.10.22:445, 192.168.10.23:445, 192.168.10.24:445, 192.168.10.25:445, 192.168.10.26:445, 192.168.10.27:445, 192.168.10.28:445, 192.168.10.29:445, 192.168.10.2:445, 192.168.10.30:445, 192.168.10.31:445, 192.168.10.32:445, 192.168.10.33:445, 192.168.10.34:445, 192.168.10.35:445, 192.168.10.36:445, 192.168.10.37:445, 192.168.10.38:445, 192.168.10.39:445, 192.168.10.3:445, 192.168.10.40:445, 192.168.10.41:445, 192.168.10.42:445, 192.168.10.43:445, 192.168.10.44:445, 192.168.10.45:445, 192.168.10.46:445, 192.168.10.47:445, 192.168.10.48:445, 192.168.10.49:445, 192.168.10.4:445, 192.168.10.50:445, 192.168.10.51:445, 192.168.10.52:445, 192.168.10.53:445, 192.168.10.54:445, 192.168.10.55:445, 192.168.10.56:445, 192.168.10.57:445, 192.168.10.58:445, 192.168.10.59:445, 192.168.10.5:445, 192.168.10.60:445, 192.168.10.61:445, 192.168.10.62:445, 192.168.10.63:445, 192.168.10.64:445, 192.168.10.65:445, 192.168.10.66:445, 192.168.10.67:445, 192.168.10.68:445, 192.168.10.69:445, 192.168.10.6:445, 192.168.10.70:445, 192.168.10.71:445, 192.168.10.72:445, 192.168.10.73:445, 192.168.10.74:445, 192.168.10.75:445, 192.168.10.76:445, 192.168.10.77:445, 192.168.10.78:445, 192.168.10.79:445, 192.168.10.7:445, 192.168.10.80:445, 192.168.10.81:445, 192.168.10.82:445, 192.168.10.83:445, 192.168.10.84:445, 192.168.10.85:445, 192.168.10.86:445, 192.168.10.87:445, 192.168.10.88:445, 192.168.10.89:445, 192.168.10.8:445, 192.168.10.90:445, 192.168.10.91:445, 192.168.10.92:445, 192.168.10.93:445, 192.168.10.94:445, 192.168.10.95:445, 192.168.10.96:445, 192.168.10.97:445, 192.168.10.98:445, 192.168.10.99:445 and 192.168.10.9:445

Process Wmmvsvc Service Group scanned port 445 on 99 IP Addresses

Port 445 Scan

A user logged in using SMB from FXNB with the following username: Administrator - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

SMB Brute Force Successful SMB Login

Connection was closed due to timeout