Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 58.22.218.108Malicious

IP Address: 58.22.218.108Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Connect-Back, Scanner

Services Targeted

SMB

Tags

Service Start Access Suspicious Domain Service Deletion SMB Null Session Login SMB Outgoing Connection MSRPC Successful SMB Login Service Creation System File Modification CMD

Associated Attack Servers

0101host.com 121.in-addr.arpa 163data.com.cn 182.in-addr.arpa 49-tataidc.co.in 60.in-addr.arpa actcorp.in airtelbroadband.in airtel.in as270353.com.br asianet.co.in atinfo.inf.br bcnb.ac.th bracnet.net cable.net.co ccclindia.com collabefood.com comnet.net.id ctbctelecom.com.br eastern-tele.com elcat.kg hinet.net hwclouds-dns.com ifx.net.co iplannetworks.net jlccptt.net.cn masirsamane.ir moratelindo.co.id net-uno.net nexlinx.net.pk

1.4.212.51 1.248.75.8 2.134.42.161 2.179.64.88 2.186.122.51 5.183.29.185 8.137.48.200 14.8.139.97 14.23.45.181 14.96.9.242 14.157.138.127 14.157.138.223 14.175.191.219 14.191.3.58 14.207.60.230 14.224.132.187 14.228.110.106 14.244.154.134 14.244.166.234 14.245.101.31 14.246.52.6 14.250.145.100 23.94.203.148 23.234.247.86 27.6.236.152 27.23.113.28 27.71.84.78 27.125.130.99 27.151.28.142 27.188.64.243

Basic Information

IP Address

58.22.218.108

Domain

-

ISP

China Unicom Liaoning

Country

China

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2022-11-14

Last seen in Akamai Guardicore Segmentation

2024-04-13

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

System file c:\windows\inf\oldcache.000 was modified

System File Modification

A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts

Successful SMB Login

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC02 under service group None

Service Creation Service Start

Service MSIServer was started

Service Start

A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User

Successful SMB Login

Process c:\windows\system32\msiexec.exe generated outgoing network traffic to: 159.89.31.59:16801, 187.39.130.138:13118 and 58.22.218.108:10310

Outgoing Connection

Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: virtua.com.br

Access Suspicious Domain Outgoing Connection

c:\windows\system32\services.exe installed and started mshta.exe as a service named AC04 under service group None

Service Creation Service Start

Connection was closed due to user inactivity