IP Address: 45.238.18.26Malicious
IP Address: 45.238.18.26Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Scanner |
|
Services Targeted |
SMB |
|
Tags |
Persistency - Logon Successful SMB Login Listening SMB Service Deletion Outgoing Connection Service Creation NetBIOS SMB Null Session Login SMB Share Connect Download and Execute Service Start |
|
Associated Attack Servers |
|
IP Address |
45.238.18.26 |
|
|
Domain |
- |
|
|
ISP |
- |
|
|
Country |
Argentina |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2022-12-05 |
|
Last seen in Akamai Guardicore Segmentation |
2023-02-23 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SMB from SERVER with the following username: administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
|
The file C:\WINDOWS\lsass.exe was downloaded and executed |
Download and Execute |
|
The file C:\WINDOWS\system32\lsasvc.exe was downloaded and executed 2 times |
Download and Execute |
|
Process c:\windows\lsass.exe generated outgoing network traffic to: 209.85.133.114:25 |
Outgoing Connection |
|
c:\windows\system32\services.exe installed and started c:\windows\lsass.exe as a service named WUpdate under service group None |
Service Start Service Creation |
|
c:\windows\lsass.exe set the command line c:\windows\lsass.exe to run using Persistency - Logon |
Persistency - Logon |
|
c:\windows\system32\services.exe installed and started c:\windows\system32\lsasvc.exe as a service named LSAService under service group None |
Service Start Service Creation |
|
Process c:\windows\system32\lsasvc.exe started listening on ports: 186 |
Listening |
|
A user logged in using SMB from SERVER with the following username: administrator - Authentication policy: Previously Approved User |
Successful SMB Login |
|
Connection was closed due to user inactivity |
|
|
C:\WINDOWS\system32\lsasvc.exe |
SHA256: 6beb9eb9c18990e788773b56bd0f00518177bcd228f59df23e329a1e967644ed |
18977 bytes |
|
C:\WINDOWS\lsass.exe |
SHA256: a29d02251f54567edb1d32f7c17ce4c04d5c54e317eb3b2bea2a068da728e59a |
33128 bytes |
© 2023 Akamai Technologies