IP Address: 89.249.48.164Malicious
IP Address: 89.249.48.164Malicious
This IP address attempted an attack on a machine in our threat sensors network
|
Role |
Attacker, Connect-Back, Scanner |
|
Services Targeted |
SMB |
|
Tags |
Outgoing Connection Access Suspicious Domain MSRPC Service Start Service Deletion Successful SMB Login Service Creation SMB Null Session Login SMB CMD |
|
Associated Attack Servers |
0101host.com ipct.ru ptl.ru vanagon.com 2.63.251.131 14.224.197.169 36.64.152.129 36.67.186.130 41.111.188.21 58.22.82.196 61.178.43.239 61.240.16.107 69.160.118.128 74.96.232.10 77.242.17.114 95.80.100.54 103.57.38.231 103.155.122.174 103.208.207.56 103.215.205.147 110.93.244.146 111.42.132.72 111.180.195.50 115.195.113.60 116.68.98.62 118.99.68.176 125.211.217.14 136.232.196.14 144.48.227.75 151.38.111.194 159.89.31.59 170.64.177.69 171.40.124.117 |
|
IP Address |
89.249.48.164 |
|
|
Domain |
- |
|
|
ISP |
Intersat S.A. |
|
|
Country |
Russian Federation |
|
|
WHOIS |
Created Date |
- |
|
Updated Date |
- |
|
|
Organization |
- |
|
|
First seen in Akamai Guardicore Segmentation |
2023-11-20 |
|
Last seen in Akamai Guardicore Segmentation |
2024-04-17 |
What is Akamai Guardicore SegmentationAkamai Guardicore Segmentation is a data center and cloud security solution that protects the organization's core assets, using flexible, quickly deployed and easy to understand micro-segmentation controls. Akamai Guardicore Segmentation generates in-context security incidents, with details on attacker tools and techniques, that help IR teams prioritize incident investigation and reduce dwell time. Learn More
|
A user logged in using SMB with the following username: administrator - Authentication policy: Reached Max Attempts |
Successful SMB Login |
|
A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User |
Successful SMB Login |
|
c:\windows\system32\services.exe installed and started mshta.exe as a service named AC04 under service group None |
Service Start Service Creation |
|
Service MSIServer was started |
Service Start |
|
A user logged in using SMB with the following username: administrator - Authentication policy: Previously Approved User |
Successful SMB Login |
|
Process c:\windows\system32\msiexec.exe generated outgoing network traffic to: 111.180.195.50:14426, 74.96.232.10:19408 and 89.249.48.164:15551 |
Outgoing Connection |
|
Process c:\windows\system32\msiexec.exe attempted to access suspicious domains: ipct.ru and vanagon.com |
Outgoing Connection Access Suspicious Domain |
|
c:\windows\system32\services.exe installed and started mshta.exe as a service named AC05 under service group None |
Service Start Service Creation |
|
Connection was closed due to user inactivity |
|
© 2023 Akamai Technologies
