IP Address: 183.153.73.27Previously Malicious
IP Address: 183.153.73.27Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Listening SMB Null Session Login Service Start HTTP Outgoing Connection Persistency - Logon MSRPC Service Deletion IDS - Attempted User Privilege Gain DNS Query SMB Share Connect Download File Service Stop Successful SMB Login Service Creation Access Suspicious Domain SMB Download and Execute |
Associated Attack Servers |
16clouds.com alt1.gmail-smtp-in.l.google.com alt2.gmail-smtp-in.l.google.com alt3.gmail-smtp-in.l.google.com alt4.gmail-smtp-in.l.google.com gmail.com gmail-smtp-in.l.google.com mm.pl 46.143.230.186 87.116.227.233 117.198.13.46 124.81.85.117 172.25.138.198 173.242.125.28 211.241.159.138 212.111.208.106 212.126.97.209 220.228.161.202 |
IP Address |
183.153.73.27 |
|
Domain |
- |
|
ISP |
- |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2022-12-28 |
Last seen in Akamai Guardicore Segmentation |
2022-12-28 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB from PC-20191026RGRY with the following username: administrator - Authentication policy: Correct Password |
Successful SMB Login |
C:\windows\stm8.inf was downloaded |
Download File |
IDS detected Attempted User Privilege Gain : DCERPC SVCCTL - Remote Service Control Manager Access |
IDS - Attempted User Privilege Gain |
c:\windows\system32\services.exe installed and started c:\windows\isass.exe as a service named wgautr under service group None |
Service Start Service Creation |
The file C:\WINDOWS\Isass.exe was downloaded and executed |
Download and Execute |
Process c:\windows\isass.exe attempted to access domains: alt1.gmail-smtp-in.l.google.com, alt2.gmail-smtp-in.l.google.com, alt3.gmail-smtp-in.l.google.com, alt4.gmail-smtp-in.l.google.com, gmail-smtp-in.l.google.com and gmail.com |
DNS Query |
Process c:\windows\isass.exe started listening on ports: 53 |
Listening |
Process c:\windows\isass.exe generated outgoing network traffic to: 117.198.13.46:443, 124.81.85.117:53, 172.25.138.198:53, 173.242.125.28:53, 211.241.159.138:53, 212.111.208.106:53, 212.126.97.209:53, 220.228.161.202:53, 46.143.230.186:53, 74.125.133.26:25 and 87.116.227.233:53 |
Outgoing Connection |
c:\windows\isass.exe set the command line c:\windows\Isass.exe %1 to run using Persistency - Logon |
Persistency - Logon |
Process c:\windows\isass.exe attempted to access suspicious domains: 16clouds.com and mm.pl |
DNS Query Access Suspicious Domain Outgoing Connection |
Service wgautr was stopped |
Service Stop |
Connection was closed due to user inactivity |
|
C:\windows\stm8.inf |
SHA256: a2d68cda02b7536ffc631e9e507968b2d7942e8ea3073b120d7086b4ab8186c6 |
92 bytes |
C:\WINDOWS\Isass.exe |
SHA256: ca7f9faa35ae2808ebcdca5c3a95b3c80d35a0c69eebeae8ba522c39f0454bf3 |
65536 bytes |