IP Address: 180.97.220.26Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
180.97.220.26​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL

Tags

Access Suspicious Domain IDS - Successful Administrator Privilege Gain User Created Successful MSSQL Login File Operation By CMD Persistency - Logon User Password Changed Outgoing Connection DNS Query Service Start MSSQL Brute Force MSSQL User Added to Group System File Modification Scheduled Task Creation Service Configuration Download and Execute Create MsSql Procedure Execute MsSql Shell Command Service Creation CMD

Associated Attack Servers

c.vollar.ga isrg.trustid.ocsp.identrust.com x.nxxxn.ga 156.238.2.78 secureserver.net ctldl.windowsupdate.com s.xzzzx.ga tbip.alicdn.com iphoster.net ocsp.globalsign.com 114.113.151.154 crl.globalsign.com 2019.ip138.com c.xzzzx.ga apps.identrust.com s.vollar.ga d.nxxxn.ga r.pengyou.com x.vollar.ga www.baidu.com ocsp.int-x3.letsencrypt.org 185.172.66.203 o.vollar.ga d.vollar.ga ocsp2.globalsign.com map.baidu.com www.rejetto.com googleusercontent.com o.xzzzx.ga

114.113.151.154 166.62.30.153 145.239.23.7 35.230.34.112 185.172.66.203 156.238.2.78

Basic Information

IP Address

180.97.220.26

Domain

-

ISP

China Telecom jiangsu

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-07-07

Last seen in Guardicore Centra

2019-09-22

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: kisadmin / ******* - Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

MSSQL executed 44 shell commands

Execute MsSql Shell Command

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: kisadmin / ******* - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 2 times

Successful MSSQL Login MSSQL Brute Force

The file C:\ProgramData\SQLAGENTIDW.exe was downloaded and executed 7 times

Download and Execute

IDS detected Successful Administrator Privilege Gain : Microsoft CScript Banner Outbound

IDS - Successful Administrator Privilege Gain

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

System file C:\Windows\AppCompat\Programs\Amcache.hve was modified 4 times

System File Modification

c:\users\admini~1\appdata\local\temp\sqlagentsrw.exe installed a Persistency - Logon backdoor by modifying Windows Registry

Persistency - Logon

Process c:\users\admini~1\appdata\local\temp\sqlagentsrw.exe attempted to access suspicious domains: 156.238.2.78, c.xzzzx.ga, s.xzzzx.ga and x.nxxxn.ga

Access Suspicious Domain Outgoing Connection DNS Query

Process c:\users\admini~1\appdata\local\temp\sqlagentsrw.exe generated outgoing network traffic to: 156.238.2.78:9383

Outgoing Connection

Process c:\users\admini~1\appdata\local\temp\sqlagentsrw.exe attempted to access domains: 2019.ip138.com, crl.globalsign.com, ctldl.windowsupdate.com, map.baidu.com, ocsp.globalsign.com, ocsp2.globalsign.com, tbip.alicdn.com and www.baidu.com

DNS Query

Process c:\users\admini~1\appdata\local\temp\sqlagentc.exe attempted to access suspicious domains: o.vollar.ga

Access Suspicious Domain DNS Query

Password for user Guest was changed to: *********

User Password Changed

User Guest was added to groups: Administrators

User Added to Group

User IUER_SERVER was created with the password ********* and added to groups: Administrators 3 times

User Created User Added to Group

Process NetworkService Service Group attempted to access domains: ctldl.windowsupdate.com

DNS Query

The file C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe was downloaded and executed 3 times

Download and Execute

c:\windows\system32\services.exe installed and started c:\program as a service named Microsoft SQL Serverai under service group None

Service Start Service Creation

Process c:\program files (x86)\microsoft sql server\sqlserasi.exe attempted to access suspicious domains: d.nxxxn.ga and r.pengyou.com

Access Suspicious Domain Outgoing Connection DNS Query

Process c:\program files (x86)\microsoft sql server\sqlserasi.exe generated outgoing network traffic to: 156.238.2.78:22251

Outgoing Connection

The command line C:\ProgramData\SQLAGENTVDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20229

The command line C:\ProgramData\SQLAGENTVDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20229 64

The command line C:\RECYCLER\SQLAGENTVDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20339

The command line C:\RECYCLER\SQLAGENTVDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20339 64

The command line C:\ProgramData\SQLAGENTIDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20429

The command line C:\ProgramData\SQLAGENTIDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20429 64

The command line C:\RECYCLER\SQLAGENTIDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20539

The command line C:\RECYCLER\SQLAGENTIDA.exe was scheduled to run by modifying C:\Windows\System32\Tasks\.NET Framework NGEN v4.2.20539 64

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\ProgramData\SQLAGENTIDW.exe to run using Persistency - Logon

Persistency - Logon

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\RECYCLER\SQLAGENTIDW.exe to run using Persistency - Logon

Persistency - Logon

Connection was closed due to timeout

Associated Files

C:\ProgramData\SQLAGENTIDW.exe

SHA256: 875f1ae634c573896d275c9866ca6094e077a2a05fc2b97327d8720406675789

102400 bytes

C:\Windows\System32\SQLAGENTSVZ.exe

SHA256: 202d77288b7be094c9a7402dabf6e820692635c3fd0af1a5a446009a43967c98

88576 bytes

C:\ProgramData\SQLAGENTSVZ.exe

SHA256: a1553c21d4e0a74274025b96c738e273ad9dfdf8fec7f0354232d9a4c34c0bd3

374784 bytes

C:\Program Files (x86)\Microsoft SQL Server\SqlWtsno.exe

SHA256: 4fd21f485b3bf4f5cb42899ed1d7588a1f387d636f425f55661d2315d66a95dc

41278128 bytes

C:\ProgramData\SQLAGENTIDW.exe

SHA256: b1e76f87646f001966abc594630270d32ec80440d9e6ec6f978d76a8692f4354

103936 bytes

C:\ProgramData\SQLAGENTIDW.exe

SHA256: 687032a5e8783d36691e48b992fe94a7f98f84e6abdfa8ce3ef975127272ad6d

566272 bytes

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

SHA256: 1a76b73da2338c8ef10de283c651d8f058a3f63d0a62153235be0143bbb2e3f4

41278896 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 180.97.220.26​Previously Malicious