IP Address: 196.29.167.210Previously Malicious
IP Address: 196.29.167.210Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
SMB |
Tags |
Service Stop Listening SMB Share Connect DNS Query Service Deletion SMB Null Session Login Download and Execute CMD Service Start Service Configuration SMB Persistency - Logon Successful SMB Login System File Modification Service Creation Access Suspicious Domain File Operation By CMD |
Associated Attack Servers |
IP Address |
196.29.167.210 |
|
Domain |
- |
|
ISP |
KANARTEL |
|
Country |
Sudan |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-02-10 |
Last seen in Akamai Guardicore Segmentation |
2021-03-31 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using SMB with the following username: Administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
c:\windows\system32\services.exe installed and started %systemroot%\ygiobdjs.exe as a service named Kbfx under service group None |
Service Start Service Creation |
The file C:\Windows\YgIoBdJs.exe was downloaded and executed |
Download and Execute |
A user logged in using SMB with the following username: Administrator - Authentication policy: Previously Approved User 4 times |
Successful SMB Login |
Service Kbfx was stopped |
Service Stop |
System file C:\Windows\AppCompat\Programs\Amcache.hve was modified 4 times |
System File Modification |
The file c:\windows\syswow64\drivers\svchost.exe was downloaded and executed 2 times |
Download and Execute |
The file C:\Windows\Temp\svchost.exe was downloaded and executed 4 times |
Download and Execute |
System file c:\windows\syswow64\drivers\svchost.exe was modified 4 times |
System File Modification |
c:\windows\temp\ttt.exe set the command line c:\windows\SysWOW64\wmiex.exe to run using Persistency - Logon |
Persistency - Logon |
c:\windows\system32\services.exe installed and started %systemroot%\drfyevqa.exe as a service named hutD under service group None |
Service Start Service Creation |
Process c:\windows\temp\svchost.exe started listening on ports: 60124 2 times |
Listening |
c:\windows\system32\services.exe installed and started c:\windows\syswow64\wmiex.exe as a service named WebServers under service group None |
Service Start Service Creation |
The file C:\Windows\drfyEVqa.exe was downloaded and executed |
Download and Execute |
The file c:\windows\syswow64\wmiex.exe was downloaded and executed 2 times |
Download and Execute |
Service hutD was stopped |
Service Stop |
Process c:\windows\syswow64\wmiex.exe attempted to access suspicious domains: ii.haqo.net, oo.beahh.com and pp.abbny.com |
DNS Query Access Suspicious Domain |
c:\windows\temp\setup-install.exe set the command line c:\windows\SysWOW64\drivers\svchost.exe to run using Persistency - Logon |
Persistency - Logon |
c:\windows\system32\services.exe installed and started c:\windows\syswow64\drivers\svchost.exe as a service named Ddriver under service group None |
Service Start Service Creation |
The file C:\Windows\SysWOW64\drivers\taskmgr.exe was downloaded and executed |
Download and Execute |
Process c:\windows\syswow64\drivers\svchost.exe started listening on ports: 65533 |
Listening |
Process netsvcs Service Group started listening on ports: 65531 and 65532 |
Listening |
Connection was closed due to timeout |
|