Cyber Threat Intelligence

Discover malicious IPs and domains with Akamai Guardicore Segmentation

IP Address: 78.186.169.150Previously Malicious

IP Address: 78.186.169.150Previously Malicious

This IP address attempted an attack on a machine in our threat sensors network

Threat Information

Role

Attacker, Scanner

Services Targeted

SMB

Tags

Listening Access Suspicious Domain Access Violation CMD SMB Null Session Login Service Stop Successful SMB Login SMB Persistency - Logon IDS - A Network Trojan was detected SMB Share Connect Service Creation Download File Service Start Service Deletion Download and Execute Execute from Share Access Share DNS Query Cookie Hijacking Service Configuration

Associated Attack Servers

-

Basic Information

IP Address

78.186.169.150

Domain

-

ISP

Turk Telekom

Country

Turkey

WHOIS

Created Date

-

Updated Date

-

Organization

-

First seen in Akamai Guardicore Segmentation

2018-06-03

Last seen in Akamai Guardicore Segmentation

2021-03-08

What is Akamai Guardicore Segmentation
Akamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More

Attack Flow

A user logged in using SMB with the following username: Administrator - Authentication policy: Correct Password

Successful SMB Login

c:\windows\system32\services.exe installed and started \\server-backup\c$\xhizstof.exe as a service named jiQc under service group None

Service Start Service Creation

xhizstof.exe was executed from the remote share \\server-backup\c$

Execute from Share

Service jiQc was stopped

Service Stop

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (MSF style)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : Possible ETERNALBLUE Probe MS17-010 (Generic Flags)

IDS - A Network Trojan was detected

IDS detected A Network Trojan was detected : ETERNALBLUE Probe Vulnerable System Response MS17-010

IDS - A Network Trojan was detected

c:\windows\system32\services.exe installed and started cmd as a service named hNGH under service group None

Service Start Service Creation

The file C:\installed2.exe was downloaded and executed

Download and Execute

c:\windows\system32\services.exe installed and started cmd as a service named IEQQ under service group None

Service Start Service Creation

The file C:\WINDOWS\Temp\svchost.exe was downloaded and executed 2 times

Download and Execute

Service IEQQ was stopped

Service Stop

Process c:\installed2.exe started listening on ports: 65533

Listening

The file c:\windows\system32\wmiex.exe was downloaded and executed 2 times

Download and Execute

Process c:\windows\temp\svchost.exe started listening on ports: 60124

Listening

Process c:\installed2.exe attempted to access suspicious domains: i.haqo.net and p.abbny.com

DNS Query Access Suspicious Domain

c:\windows\temp\ttt.exe set the command line C:\WINDOWS\system32\wmiex.exe to run using Persistency - Logon

Persistency - Logon

c:\windows\system32\services.exe installed and started c:\windows\system32\wmiex.exe as a service named WebServers under service group None

Service Start Service Creation

Connection was closed due to timeout