IP Address: 190.203.249.53Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
190.203.249.53​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL

Tags

SMB MSRPC System Shutdown Service Deletion CMD DNS Query Post Reboot Rename Service Creation Service Configuration Service Start Successful SMB Login Bulk Files Tampering Download and Execute Access Suspicious Domain MSSQL

Associated Attack Servers

es.ldbdhm.xyz

Basic Information

IP Address

190.203.249.53

Domain

-

ISP

Cantv

Country

Venezuela, Bolivarian Republic of

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-11-14

Last seen in Guardicore Centra

2019-11-14

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User 2 times

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named bOgD under service group None

Service Creation Service Start

Service msiserver was started

Service Start

Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: es.ldbdhm.xyz

Access Suspicious Domain DNS Query

The file C:\Windows\Installer\MSIC228.tmp was downloaded and loaded by c:\windows\syswow64\msiexec.exe

Download and Execute

c:\windows\apppatch\acpsens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\apppatch\ke583427.xsl was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was renamed to c:\windows\apppatch\acpsens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\winupdate64.log was renamed to c:\windows\system32\sens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\services.exe installed and started mshta.exe as a service named NEOC under service group None

Service Creation Service Start

c:\windows\system32\msiexec.exe attempted shutdown of type Shut down the system and then restarted it, as well as any applications that have been registered for restart, Shut down the system and then restarted the system with reason: Unspecified 2 times

System Shutdown

c:\windows\system32\wininit.exe attempted shutdown of type Shut down the system and then restarted the system, Shut down the system to a point at which it is safe to turn off the power with reason: Unspecified

System Shutdown

The file C:\Windows\Installer\MSICDBB.tmp was downloaded and loaded by c:\windows\syswow64\msiexec.exe

Download and Execute

c:\windows\apppatch\acpsens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\apppatch\ke583427.xsl was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows was deleted by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\system32\sens.dll was renamed to c:\windows\apppatch\acpsens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

c:\windows\winupdate64.log was renamed to c:\windows\system32\sens.dll by c:\windows\system32\msiexec.exe ( pending reboot )

Post Reboot Rename

Connection was closed due to user inactivity

Process c:\windows\system32\msiexec.exe performed bulk changes in {c:} on 43 files

Bulk Files Tampering

Associated Files

C:\Windows\Installer\MSIFE3.tmp

SHA256: 4dd9fe3bfb862a61c22c104af758eb4cbf0c5ab3465891cee0da33bebacc22ee

232448 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 190.203.249.53​Previously Malicious