IP Address: 185.172.66.203Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
185.172.66.203​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

MSSQL

Tags

Execute MsSql Shell Command File Operation By CMD User Added to Group IDS - Successful Administrator Privilege Gain MSSQL Brute Force Outgoing Connection System File Modification Access Suspicious Domain Download and Execute User Password Changed Persistency - Logon MSSQL Successful MSSQL Login Persistency - Image Hijack CMD DNS Query Service Stop User Created Executable File Modification Create MsSql Procedure Persistency - Mime Filter

Associated Attack Servers

xa.vollar.ga c.vollar.ga isrg.trustid.ocsp.identrust.com x.nxxxn.ga ctldl.windowsupdate.com s.xzzzx.ga tbip.alicdn.com iphoster.net 2000019.ip138.com ocsp.globalsign.com t.nxxxn.ga crl.globalsign.com 2019.ip138.com c.xzzzx.ga apps.identrust.com ip.xianhua.com.cn s.vollar.ga d.nxxxn.ga r.pengyou.com www.baidu.com ocsp.int-x3.letsencrypt.org 185.172.66.203 o.vollar.ga cct119.com ocsp2.globalsign.com map.baidu.com www.rejetto.com googleusercontent.com o.xzzzx.ga

35.227.91.56 91.208.245.75 154.209.232.201 175.0.104.88 180.97.220.26 113.9.201.86 221.212.38.155 175.9.228.247 113.83.48.102 113.81.142.95 35.197.13.164 156.238.2.78 113.4.173.24 175.0.104.8 221.207.158.164 145.239.23.7 118.250.19.118 104.196.132.23 180.97.220.5 118.250.16.90 175.8.215.89

Basic Information

IP Address

185.172.66.203

Domain

-

ISP

Cube Focus Limited

Country

Germany

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-09-03

Last seen in Guardicore Centra

2020-03-30

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: sa / ****** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) 3 times

Successful MSSQL Login MSSQL Brute Force

MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc

Create MsSql Procedure

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line taskkill.exe to run using Persistency - Image Hijack 25 times

Persistency - Image Hijack Persistency - Logon

MSSQL executed 74 shell commands

Execute MsSql Shell Command

c:\program files\microsoft sql server\mssql11.sqlexpress\mssql\binn\sqlservr.exe set the command line C:\RECYCLER\SQLAGENTIDC.exe to run using Persistency - Logon

Persistency - Image Hijack Persistency - Logon

The file C:\ProgramData\SQLAGENTIDC.exe was downloaded and executed 3 times

Download and Execute

Executable file C:\Users\Administrator\AppData\Local\Temp\SQLAGENTSWA.exe was modified 9 times

Executable File Modification

System file C:\Windows\AppCompat\Programs\Amcache.hve was modified

System File Modification

IDS detected Successful Administrator Privilege Gain : Microsoft CScript Banner Outbound

IDS - Successful Administrator Privilege Gain

Process c:\users\admini~1\appdata\local\temp\sqlagentswa.exe attempted to access suspicious domains: 185.172.66.203, c.vollar.ga, googleusercontent.com and xa.vollar.ga

Access Suspicious Domain Outgoing Connection DNS Query

c:\users\admini~1\appdata\local\temp\sqlagentswa.exe installed a Persistency - Logon backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

Password for user Guest was changed to: *********

User Password Changed

User Guest was added to groups: Administrators

User Added to Group

User IUER_SERVER was created with the password ********* and added to groups: Administrators 3 times

User Created User Added to Group

The file C:\Windows\System32\SQLAGENTIDC.exe was downloaded and executed

Download and Execute

System file C:\Windows\System32\en-US\conhost.exe.mui was modified

System File Modification

Process c:\users\admini~1\appdata\local\temp\sqlagentswa.exe generated outgoing network traffic to: 185.172.66.203:9383 and 35.227.91.56:9383

Outgoing Connection

Service CryptSvc was stopped

Service Stop

Connection was closed due to timeout

c:\windows\syswow64\taskkill.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 3 times

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\syswow64\taskkill.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\syswow64\taskkill.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 4 times

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\syswow64\taskkill.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 8 times

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\syswow64\taskkill.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\conhost.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\conhost.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 2 times

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 5 times

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\conhost.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\conhost.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry

Persistency - Mime Filter Persistency - Logon

c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 2 times

Persistency - Mime Filter Persistency - Logon

Associated Files

C:\ProgramData\SQLAGENTIDW.exe

SHA256: b1e76f87646f001966abc594630270d32ec80440d9e6ec6f978d76a8692f4354

103936 bytes

C:\ProgramData\SQLAGENTIDB.exe

SHA256: acbc17ee1ad1eb73d6a1192be88e14fc77156c19244428c0d6930196b8f6c347

108032 bytes

C:\Program Files (x86)\Microsoft SQL Server\SQLSerasi.exe

SHA256: fbd942eecd9361191ab44d0c571ca5306629e2523cd133c5bfd170d88e8c3b97

41278896 bytes

C:\ProgramData\SQLAGENTVDC.exe

SHA256: bd24bbcdde84d231d5b7124fc1289385c6a70af4dbc611ccccf69c1891b7ff1a

101376 bytes

c:\program files (x86)\microsoft sql server\sqlserasi.exe

SHA256: bd21b95d217afe1c2a014adba26db53d57bebc0665304f5cbe36b34d4f026910

41278896 bytes

C:\Windows\System32\SQLAGENTIDC.exe

SHA256: 0eb100394cf05b840d1c0ae9fbfeb8b5208a3343f88e66f548a16cfe562850b3

101376 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 185.172.66.203​Previously Malicious