Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 190.36.32.19Previously Malicious

IP Address: 190.36.32.19Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Execute from Share SMB Share Connect CMD Access Share SMB Null Session Login IDS - A Network Trojan was detected Service Creation Listening Service Stop DNS Query Successful SMB Login SMB Access Suspicious Domain Cookie Hijacking Persistency - Logon Download File Service Start Access Violation Service Deletion Download and Execute

Associated Attack Servers

w.beahh.com

196.219.95.172

Basic Information

IP Address

190.36.32.19

Domain

-

ISP

Cantv

Country

Venezuela, Bolivarian Republic of

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2020-11-12

Last seen in Akamai Guardicore Segmentation

2020-11-24

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password

Successful SMB Login

C:\VQaEbWbN.exe was downloaded

Download File

vqaebwbn.exe was executed from the remote share \\server-backup\c$

Execute from Share

c:\windows\system32\services.exe installed and started \\server-backup\c$\vqaebwbn.exe as a service named lnUS under service group None

Service Start Service Creation

Service lnUS was stopped

Service Stop

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (MSF style)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (Generic Flags)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

c:\windows\system32\services.exe installed and started cmd as a service named VIoN under service group None

Service Start Service Creation

The file C:\installed2.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started cmd as a service named AcXo under service group None

Service Start Service Creation

The file C:\WINDOWS\Temp\svchost.exe was downloaded and executed 4 times

Download and Execute

The file C:\WINDOWS\Temp\_MEI12962\msvcr90.dll was downloaded and loaded by c:\windows\temp\svchost.exe

Download and Execute

Service AcXo was stopped

Service Stop

Process c:\installed2.exe started listening on ports: 65533

Listening

Process c:\windows\temp\svchost.exe started listening on ports: 60124

Listening

A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User

Successful SMB Login

Process c:\installed2.exe attempted to access suspicious domains: i.haqo.net

DNS Query Access Suspicious Domain

C:\MzsVGhhn.exe was downloaded

Download File

Process c:\windows\system32\mshta.exe attempted to access suspicious domains: w.beahh.com

DNS Query Access Suspicious Domain

c:\windows\temp\ttt.exe set the command line C:\WINDOWS\system32\wmiex.exe to run using Persistency - Logon

Persistency - Logon

Connection was closed due to user inactivity