Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 210.245.60.235Malicious

IP Address: 210.245.60.235Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SMB

Tags

Outgoing Connection Download and Execute Service Creation MSRPC Service Start Service Deletion Access Suspicious Domain SMB CMD Successful SMB Login

Associated Attack Servers

121.in-addr.arpa 163data.com.cn 49-tataidc.co.in 60.in-addr.arpa adyl.net.br airnetnetworks.com airtelbroadband.in airtel.in amazonaws.com asianet.co.in bol-online.com cable.net.co claro.net.do collabefood.com dsl.net.pk gmaestelecom.com.br gorillaservers.com gtdinternet.com hinet.net hwclouds-dns.com ishannetsol.com jlccptt.net.cn justgroup.mn krisent.com milleni.com.tr netsolir.com nettlinx.com nexlinx.net.pk pol.ir technowave.ne.jp

1.33.141.125 1.55.142.249 1.55.211.225 1.248.75.8 2.179.64.88 3.249.36.102 5.76.205.46 5.150.64.46 8.137.23.86 14.17.80.147 14.102.107.151 14.155.228.102 14.157.138.127 14.157.138.226 14.162.72.61 14.182.158.65 14.191.3.58 14.191.135.130 14.191.135.198 14.191.217.16 14.244.7.247 14.244.154.134 14.249.205.188 23.94.203.148 23.224.230.246 23.234.247.86 27.22.85.156 27.66.75.12 27.68.156.195 27.71.85.205

Basic Information

IP Address

210.245.60.235

Domain

-

ISP

FPT Telecom Company

Country

Viet Nam

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2022-11-04

Last seen in Akamai Guardicore Segmentation

2024-03-28

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User 2 times

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC02 under service group None

Service Start Service Creation

Service MSIServer was started

Service Start

Process c:\windows\system32\msiexec.exe generated outgoing network traffic to: 111.173.83.211:16772, 178.62.49.17:14664, 210.245.60.235:17527, 23.94.203.148:14093 and 58.240.33.194:18387

Outgoing Connection

The file C:\WINDOWS\Installer\MSI3.tmp was downloaded and loaded by c:\windows\installer\msi3.tmp

Download and Execute

The file C:\WINDOWS\Installer\MSI4.tmp was downloaded and loaded by c:\windows\system32\msiexec.exe

Download and Execute

The file C:\WINDOWS\Installer\MSI6.tmp was downloaded and loaded by c:\windows\installer\msi6.tmp

Download and Execute

The file C:\WINDOWS\Installer\MSI7.tmp was downloaded and loaded by c:\windows\installer\msi7.tmp

Download and Execute

Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: krisent.com

Access Suspicious Domain Outgoing Connection

The file C:\WINDOWS\Installer\MSIA.tmp was downloaded and loaded by c:\windows\installer\msia.tmp

Download and Execute

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC09 under service group None

Service Start Service Creation

Connection was closed due to user inactivity

Associated Files

C:\Windows\Installer\MSI1E5A.tmp

SHA256: 6094c813ca4bd0c647b950ba286bd338ef3623fa953b3bcf1a359b88f7296e55

144896 bytes