Overview

overview

7

Static

static

eSlipgqm.exe

windows7_x64

6

eSlipgqm.exe

windows10_x64

7

Analysis

  • max time kernel
    88s
  • max time network
    83s
  • platform
    windows7_x64
  • resource
    win7v200430
  • submitted
    07/07/2020, 06:22 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eSlipgqm.exe

  • Size

    913KB

  • MD5

    643d8efc8b76e065a277f18e31c22789

  • SHA1

    402e6c201ce14042b7c70bbf733a95119d23cc87

  • SHA256

    8f787ad8df4ea3ee0c0940cf5170cccffa5c5783f065b89581de06c53a20b30c

  • SHA512

    3427a7fca23990c8ccbd3e638c5ffbd4b6ad7e811e22db9d9596b563d82c676a8743119428a971a2835a8d2e5e8746a358e6be89bc0642f11f5317b0734b2735

Score
6/10
persistence

Malware Config

Signatures

Processes

  • C:\Users\Admin\AppData\Local\Temp\eSlipgqm.exe
    "C:\Users\Admin\AppData\Local\Temp\eSlipgqm.exe"
    1⤵
    • Adds Run entry to start application
    PID:1296

Network

  • flag-unknown
    DNS
    www.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    www.microsoft.com
    IN A
    Response
    www.microsoft.com
    IN CNAME
    www.microsoft.com-c-3.edgekey.net
    www.microsoft.com-c-3.edgekey.net
    IN CNAME
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    www.microsoft.com-c-3.edgekey.net.globalredir.akadns.net
    IN CNAME
    e13678.dspb.akamaiedge.net
    e13678.dspb.akamaiedge.net
    IN A
    2.21.41.70
  • flag-unknown
    DNS
    drive.google.com
    Remote address:
    8.8.8.8:53
    Request
    drive.google.com
    IN A
    Response
    drive.google.com
    IN A
    216.58.211.110
  • flag-unknown
    GET
    https://drive.google.com/u/0/uc?id=1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ&export=download
    eSlipgqm.exe
    Remote address:
    216.58.211.110:443
    Request
    GET /u/0/uc?id=1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ&export=download HTTP/1.1
    User-Agent: CODE
    Host: drive.google.com
    Cache-Control: no-cache
    Response
    HTTP/1.1 302 Moved Temporarily
    Content-Type: text/html; charset=UTF-8
    Cache-Control: no-cache, no-store, max-age=0, must-revalidate
    Pragma: no-cache
    Expires: Mon, 01 Jan 1990 00:00:00 GMT
    Date: Tue, 07 Jul 2020 06:22:38 GMT
    Location: https://doc-0o-34-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/orkie751ae26l5vprm0fcsvk9ma1ga2k/1594102950000/13816947845972265350/*/1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ?e=download
    P3P: CP="This is not a P3P policy! See g.co/p3phelp for more info."
    Content-Security-Policy: script-src 'report-sample' 'nonce-iKymcVy/ILhAoJegDDP8aw' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'self';report-uri https://csp.withgoogle.com/csp/drive-explorer/
    X-Content-Type-Options: nosniff
    X-Frame-Options: SAMEORIGIN
    X-XSS-Protection: 1; mode=block
    Server: GSE
    Set-Cookie: NID=204=o6hG2UqGZWwWtIszGN0gTsNV_sg0QWBS8qI1NYXA5BGgliduusom0JJIHOjHsM3AT3NIgE_hhXEQFAtkOzhTkFyMhKV8yr11v8VP2xioE2SMLQG6zCSVUYd09b9W-jjv6wd4D2EwHiSHsMLdHQFBPO9HUnFarODdED9zjAWe-6M; expires=Wed, 06-Jan-2021 06:22:38 GMT; path=/; domain=.google.com; HttpOnly
    Alt-Svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
    Accept-Ranges: none
    Vary: Accept-Encoding
    Transfer-Encoding: chunked
  • flag-unknown
    DNS
    ocsp.pki.goog
    Remote address:
    8.8.8.8:53
    Request
    ocsp.pki.goog
    IN A
    Response
    ocsp.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    172.217.17.131
  • flag-unknown
    GET
    http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D
    eSlipgqm.exe
    Remote address:
    172.217.17.131:80
    Request
    GET /gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.pki.goog
    Response
    HTTP/1.1 200 OK
    Content-Type: application/ocsp-response
    Date: Mon, 06 Jul 2020 21:26:01 GMT
    Server: ocsp_responder
    Content-Length: 468
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Cache-Control: public, max-age=86400
    Age: 32196
  • flag-unknown
    GET
    http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH4Q2QH3rAPNCAAAAABH744%3D
    eSlipgqm.exe
    Remote address:
    172.217.17.131:80
    Request
    GET /gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH4Q2QH3rAPNCAAAAABH744%3D HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.pki.goog
    Response
    HTTP/1.1 200 OK
    Content-Type: application/ocsp-response
    Date: Mon, 06 Jul 2020 16:14:58 GMT
    Server: ocsp_responder
    Content-Length: 471
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Cache-Control: public, max-age=86400
    Age: 50860
  • flag-unknown
    GET
    http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaaj9s9KcahwMAAAAAkd0g
    eSlipgqm.exe
    Remote address:
    172.217.17.131:80
    Request
    GET /gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaaj9s9KcahwMAAAAAkd0g HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: ocsp.pki.goog
    Response
    HTTP/1.1 200 OK
    Content-Type: application/ocsp-response
    Date: Mon, 06 Jul 2020 18:22:48 GMT
    Server: ocsp_responder
    Content-Length: 472
    X-XSS-Protection: 0
    X-Frame-Options: SAMEORIGIN
    Cache-Control: public, max-age=86400
    Age: 43190
  • flag-unknown
    DNS
    doc-0o-34-docs.googleusercontent.com
    Remote address:
    8.8.8.8:53
    Request
    doc-0o-34-docs.googleusercontent.com
    IN A
    Response
    doc-0o-34-docs.googleusercontent.com
    IN CNAME
    googlehosted.l.googleusercontent.com
    googlehosted.l.googleusercontent.com
    IN A
    172.217.17.65
  • flag-unknown
    GET
    https://doc-0o-34-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/orkie751ae26l5vprm0fcsvk9ma1ga2k/1594102950000/13816947845972265350/*/1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ?e=download
    eSlipgqm.exe
    Remote address:
    172.217.17.65:443
    Request
    GET /docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/orkie751ae26l5vprm0fcsvk9ma1ga2k/1594102950000/13816947845972265350/*/1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ?e=download HTTP/1.1
    User-Agent: CODE
    Connection: Keep-Alive
    Cache-Control: no-cache
    Host: doc-0o-34-docs.googleusercontent.com
    Response
    HTTP/1.1 200 OK
    X-GUploader-UploadID: AAANsUmhsaR7gMz1pEEyGv9ZLhrm_2x5xiQMRqhGobKeuGIYHEorjVntzpgWGPC3tFvNEaqe0_to72NqU2S62LMviG1vNCeyrQ
    Access-Control-Allow-Origin: *
    Access-Control-Allow-Credentials: false
    Access-Control-Allow-Headers: Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, GData-Version, google-cloud-resource-prefix, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, x-chrome-connected, X-ClientDetails, X-Client-Version, X-Firebase-Locale, X-Goog-Firebase-Installations-Auth, X-Firebase-Client, X-Firebase-Client-Log-Type, X-GData-Client, X-GData-Key, X-GoogApps-Allowed-Domains, X-Goog-AdX-Buyer-Impersonation, X-Goog-Api-Client, X-Goog-AuthUser, x-goog-ext-124712974-jspb, x-goog-ext-259736195-jspb, X-Goog-PageId, X-Goog-Encode-Response-If-Executable, X-Goog-Correlation-Id, X-Goog-Request-Info, X-Goog-Request-Reason, X-Goog-Experiments, x-goog-iam-authority-selector, x-goog-iam-authorization-token, X-Goog-Spatula, X-Goog-Travel-Bgr, X-Goog-Travel-Settings, X-Goog-Upload-Command, X-Goog-Upload-Content-Disposition, X-Goog-Upload-Content-Length, X-Goog-Upload-Content-Type, X-Goog-Upload-File-Name, X-Goog-Upload-Header-Content-Length, X-Goog-Upload-Offset, X-Goog-Upload-Protocol, x-goog-user-project, X-Goog-Visitor-Id, X-Goog-FieldMask, X-Google-Project-Override, X-Goog-Api-Key, X-HTTP-Method-Override, X-JavaScript-User-Agent, X-Pan-Versionid, X-Proxied-User-IP, X-Origin, X-Referer, X-Requested-With, X-Stadia-Client-Context, X-Upload-Content-Length, X-Upload-Content-Type, X-Use-HTTP-Status-Code-Override, X-Ios-Bundle-Identifier, X-Android-Package, X-Ariane-Xsrf-Token, X-YouTube-VVT, X-YouTube-Page-CL, X-YouTube-Page-Timestamp, X-Goog-Meeting-Botguardid, X-Goog-Meeting-ClientVersion, X-Goog-Meeting-Debugid, X-Goog-Meeting-RtcClient, X-Goog-Meeting-Token, X-Client-Data, X-Sfdc-Authorization, MIME-Version, Content-Transfer-Encoding, X-Earth-Engine-App-ID-Token, X-Earth-Engine-Computation-Profile, X-Earth-Engine-Computation-Profiling, X-Play-Console-Experiments-Override, X-Play-Console-Session-Id, x-alkali-account-key, x-alkali-application-key, x-alkali-auth-apps-namespace, x-alkali-auth-entities-namespace, x-alkali-auth-entity, x-alkali-client-locale, EES-S7E-MODE, cast-device-capabilities
    Access-Control-Allow-Methods: GET,OPTIONS
    Content-Type: application/octet-stream
    Content-Disposition: attachment;filename="eSlip";filename*=UTF-8''eSlip
    Date: Tue, 07 Jul 2020 06:22:39 GMT
    Expires: Tue, 07 Jul 2020 06:22:39 GMT
    Cache-Control: private, max-age=0
    X-Goog-Hash: crc32c=HQ+xWg==
    Content-Length: 941056
    Server: UploadServer
    Alt-Svc: h3-29=":443"; ma=2592000,h3-27=":443"; ma=2592000,h3-25=":443"; ma=2592000,h3-T050=":443"; ma=2592000,h3-Q050=":443"; ma=2592000,h3-Q046=":443"; ma=2592000,h3-Q043=":443"; ma=2592000,quic=":443"; ma=2592000; v="46,43"
  • 2.21.41.70:443
    www.microsoft.com
    eSlipgqm.exe
    190 B
     92 B
     4
    2
  • 216.58.211.110:443
    https://drive.google.com/u/0/uc?id=1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ&export=download
    tls, http
    eSlipgqm.exe
    1.0kB
     7.2kB
     12
    13

    HTTP Request

    GET https://drive.google.com/u/0/uc?id=1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ&export=download

    HTTP Response

    302
  • 172.217.17.131:80
    http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaaj9s9KcahwMAAAAAkd0g
    http
    eSlipgqm.exe
    1.1kB
     2.3kB
     8
    5

    HTTP Request

    GET http://ocsp.pki.goog/gsr2/ME4wTDBKMEgwRjAJBgUrDgMCGgUABBTgXIsxbvr2lBkPpoIEVRE6gHlCnAQUm%2BIHV2ccHsBqBt5ZtJot39wZhi4CDQHjtJqhjYqpgSVpULg%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.pki.goog/gts1o1core/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEH4Q2QH3rAPNCAAAAABH744%3D

    HTTP Response

    200

    HTTP Request

    GET http://ocsp.pki.goog/gts1o1core/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBRCRjDCJxnb3nDwj%2Fxz5aZfZjgXvAQUmNH4bhDrz5vsYJ8YkBug630J%2FSsCEQCaaj9s9KcahwMAAAAAkd0g

    HTTP Response

    200
  • 172.217.17.65:443
    https://doc-0o-34-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/orkie751ae26l5vprm0fcsvk9ma1ga2k/1594102950000/13816947845972265350/*/1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ?e=download
    tls, http
    eSlipgqm.exe
    17.1kB
     997.0kB
     359
    693

    HTTP Request

    GET https://doc-0o-34-docs.googleusercontent.com/docs/securesc/ha0ro937gcuc7l7deffksulhg5h7mbp1/orkie751ae26l5vprm0fcsvk9ma1ga2k/1594102950000/13816947845972265350/*/1_OEhdgGvKkn1xaT3kJ2MQ3XBdyYnl1rJ?e=download

    HTTP Response

    200
  • 8.8.8.8:53
    www.microsoft.com
    dns
    63 B
     230 B
     1
    1

    DNS Request

    www.microsoft.com

    DNS Response

    2.21.41.70

  • 224.0.0.252:5355
    100 B
     2
  • 10.7.0.255:137
    netbios-ns
    234 B
     3
  • 8.8.8.8:53
    drive.google.com
    dns
    62 B
     78 B
     1
    1

    DNS Request

    drive.google.com

    DNS Response

    216.58.211.110

  • 8.8.8.8:53
    ocsp.pki.goog
    dns
    59 B
     110 B
     1
    1

    DNS Request

    ocsp.pki.goog

    DNS Response

    172.217.17.131

  • 8.8.8.8:53
    doc-0o-34-docs.googleusercontent.com
    dns
    82 B
     127 B
     1
    1

    DNS Request

    doc-0o-34-docs.googleusercontent.com

    DNS Response

    172.217.17.65

  • 239.255.255.250:1900
    966 B
     6
  • 239.255.255.250:1900
  • 10.7.0.255:138
    netbios-dgm
    229 B
     1

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.