IP Address: 39.144.18.95Previously Malicious
IP Address: 39.144.18.95Previously Malicious
This IP address attempted an attack on a machine in our threat sensors network
Role |
Attacker, Scanner |
Services Targeted |
HTTP |
Tags |
Service Start Service Creation Post Reboot Rename Service Configuration HTTP Service Stop Download and Execute NetBIOS Access Suspicious Domain Service Deletion Outgoing Connection Malicious File Scheduled Task Creation Download File DNS Query IDS - A Network Trojan was detected CMD System File Modification |
Associated Attack Servers |
IP Address |
39.144.18.95 |
|
Domain |
- |
|
ISP |
China Mobile Guangdong |
|
Country |
China |
|
WHOIS |
Created Date |
- |
Updated Date |
- |
|
Organization |
- |
First seen in Akamai Guardicore Segmentation |
2021-05-05 |
Last seen in Akamai Guardicore Segmentation |
2021-05-05 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
IDS detected A Network Trojan was detected : Possible DOUBLEPULSAR Beacon Response |
IDS - A Network Trojan was detected |
Process c:\windows\system32\lsass.exe attempted to access suspicious domains: 2.indexsinas.me |
DNS Query Access Suspicious Domain Outgoing Connection |
Process c:\windows\system32\lsass.exe generated outgoing network traffic to: 210.90.186.195:811 |
Outgoing Connection |
System file c:\Windows\c64.exe was modified 16 times |
System File Modification |
The file c:\Windows\c64.exe was downloaded and executed |
Download and Execute |
C:\WINDOWS\Fonts\Mysql\mance.exe was identified as malicious by YARA according to rules: Apt Eqgrp Apr17 |
Malicious File |
C:\WINDOWS\Fonts\Mysql\puls.exe was identified as malicious by YARA according to rules: Apt Eqgrp Apr17 |
Malicious File |
The file C:\WINDOWS\Temp\xsfxdel~.exe was downloaded and executed |
Download and Execute |
c:\windows\temp\xsfxdel~.exe was deleted by c:\windows\c64.exe ( pending reboot ) |
Post Reboot Rename |
c:\Windows\86.exe was downloaded 2 times |
Download File |
System file c:\Windows\86.exe was modified 4 times |
System File Modification |
The file C:\WINDOWS\Fonts\Mysql\svchost.exe was downloaded and executed |
Download and Execute |
The command line C:\Windows\Fonts\Mysql\nei.bat was scheduled to run by modifying C:\WINDOWS\Tasks\At1.job |
|
The file C:\WINDOWS\iexplore.exe was downloaded and executed |
Download and Execute |
The command line C:\Windows\Fonts\Mysql\wai.bat was scheduled to run by modifying C:\WINDOWS\Tasks\At2.job |
|
Service Browser was stopped |
Service Stop |
The file C:\WINDOWS\Fonts\svchost.exe was downloaded and executed 5 times |
Download and Execute |
c:\windows\system32\services.exe installed and started c:\windows\fonts\svchost.exe as a service named MicrosotMaims under service group None |
Service Start Service Creation |
The file C:\WINDOWS\Fonts\conhost.exe was downloaded and executed |
Download and Execute |
Connection was closed due to user inactivity |
|