IP Address: 221.194.44.208Previously Malicious
IP Address: 221.194.44.208Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
MSSQL |
Tags |
Successful MSSQL Login Outgoing Connection Scheduled Task Creation MSSQL Brute Force Access Suspicious Domain CMD DNS Query Download File Create MsSql Procedure Download and Execute System File Modification File Operation By CMD Service Stop MSSQL Execute MsSql Shell Command Persistency - Mime Filter HTTP |
Associated Attack Servers |
IP Address |
221.194.44.208 |
|
Domain |
- |
|
ISP |
China Unicom Hebei |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2019-11-16 |
Last seen in Akamai Guardicore Segmentation |
2020-05-24 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
A user logged in using MSSQL with the following username: sa - Authentication policy: Reached Max Attempts (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
A user logged in using MSSQL with the following credentials: sa / ** - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
A user logged in using MSSQL with the following username: sa - Authentication policy: Previously Approved User (Part of a Brute Force Attempt) |
MSSQL Brute Force Successful MSSQL Login |
MSSQL procedures were created: sp_addextendedproc and sp_dropextendedproc |
Create MsSql Procedure |
Service CryptSvc was stopped |
Service Stop |
c:\windows\system32\regsvr32.exe installed a Persistency - Mime Filter backdoor by modifying Windows Registry 35 times |
Persistency - Mime Filter |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
The file C:\Windows\System32\p.exe was downloaded and executed 7 times |
Download and Execute |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
System file C:\Windows\AppCompat\Programs\Amcache.hve was modified |
System File Modification |
Process c:\windows\syswow64\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\syswow64\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
MSSQL executed 3 shell commands |
Execute MsSql Shell Command |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 2 times |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn 2 times |
Access Suspicious Domain Outgoing Connection |
The command line c:\Ugfzdb.exe was scheduled to run by modifying C:\Windows\System32\Tasks\45645 |
|
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\syswow64\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\syswow64\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
The file C:\ProgramData\foahpwo.dll was downloaded and executed 3 times |
Download and Execute |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\ftp.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\ftp.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
The file C:\ProgramData\ssssssss.exe was downloaded and executed 3 times |
Download and Execute |
C:\lang.exe was downloaded 10 times |
Download File |
Process c:\programdata\ssssssss.exe attempted to access suspicious domains: xianzai.noip.cn |
DNS Query Access Suspicious Domain |
Process c:\programdata\ssssssss.exe attempted to access suspicious domains: xianzai.noip.cn 7 times |
DNS Query Access Suspicious Domain |
Process c:\programdata\ssssssss.exe attempted to access suspicious domains: xianzai.noip.cn |
DNS Query Access Suspicious Domain |
Process c:\programdata\ssssssss.exe attempted to access suspicious domains: xianzai.noip.cn |
DNS Query Access Suspicious Domain |
C:\jin.exe was downloaded 10 times |
Download File |
Process c:\windows\system32\p.exe generated outgoing network traffic to: 124.166.251.20:21 |
Outgoing Connection |
Process c:\windows\system32\p.exe attempted to access suspicious domains: adsl-pool.sx.cn |
Access Suspicious Domain Outgoing Connection |
Connection was closed due to user inactivity |
|