IP Address: 202.70.66.227Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
202.70.66.227​
Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL SMB

Tags

Service Creation Access Suspicious Domain Inbound HTTP Request File Operation By CMD SMB CMD Service Start Download File SMB Null Session Login IDS - Potential Corporate Privacy Violation DNS Query SMB Share Connect PowerShell Service Deletion Listening MSSQL System File Modification Service Stop Download and Execute Scheduled Task Creation

Associated Attack Servers

t.amynx.com attdns.com

130.1.3.1

Basic Information

IP Address

202.70.66.227

Domain

-

ISP

Nepal Telecom

Country

Nepal

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2017-01-07

Last seen in Guardicore Centra

2020-11-24

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

The file C:\Windows\fuugEofJ.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\fuugeofj.exe as a service named DZuP under service group None

Service Creation Service Start

IDS detected Potential Corporate Privacy Violation : Cryptocurrency Miner Checkin M2

IDS - Potential Corporate Privacy Violation

The file C:\Windows\WGbxyRZg.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\wgbxyrzg.exe as a service named CPNM under service group None

Service Creation Service Start

C:\Windows\temp\tmp.vbs was downloaded

Download File

Service CPNM was stopped

Service Stop

Process netsvcs Service Group started listening on ports: 65529

Listening

Process c:\windows\syswow64\windowspowershell\v1.0\powershell.exe attempted to access suspicious domains: t.amynx.com 2 times

Access Suspicious Domain DNS Query

The command line C:\Windows\Hpgf.exe was scheduled to run by modifying C:\Windows\System32\Tasks\Hpgf

The command line c:\windows\tHFKuMxz.exe was scheduled to run by modifying C:\Windows\System32\Tasks\CfuPDuC

The file C:\Windows\vaaKBLZd.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\vaakblzd.exe as a service named zTRc under service group None

Service Creation Service Start

System file C:\Windows\AppCompat\Programs\Amcache.hve was modified

System File Modification

The file C:\Windows\vSwPcBQk.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\vswpcbqk.exe as a service named PzqA under service group None

Service Creation Service Start

Service PzqA was stopped

Service Stop

Process NetworkService Service Group attempted to access suspicious domains: t.amynx.com

Access Suspicious Domain DNS Query

The command line c:\windows\tHFKuMxz.exe was scheduled to run by modifying C:\Windows\System32\Tasks\iTwd

C:\Windows\wQWDhLbt.exe was downloaded

Download File

C:\Windows\nuKWtgBO.exe was downloaded

Download File

Connection was closed due to timeout

Associated Files

\\server-backup\c$\zilnbirc.exe

SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

56320 bytes

C:\Windows\Temp\svchost.exe

SHA256: 27e56dacaf58dd51035bde87e4c0d2ac13a566588a042a2e163b2a1f73bed843

3250000 bytes

C:\Windows\temp\svchost.exe

SHA256: 2f1ce10f620d7ef1cf57d556f4d75744678db36067eea019cb369984c290b5f0

1235000 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 202.70.66.227​Malicious