Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REDRAGON Gaming Mouse.exe

Overview

General Information

Sample Name:REDRAGON Gaming Mouse.exe
Analysis ID:708245
MD5:55fe4ee7603acfe95ac3da87f701ad05
SHA1:0a924938d54dad52d00bfe8d4e09cc8fd9c92361
SHA256:7e6c76db8bf23796814972eab33cdb4c1bb6ff7a7a0f705ae847f7ab49e3ea26
Infos:

Detection

Score:12
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Obfuscated command line found
Uses 32bit PE files
Antivirus or Machine Learning detection for unpacked file
Sample file is different than original file name gathered from version info
PE file contains strange resources
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Creates files inside the system directory
Queries keyboard layouts
Found dropped PE file which has not been started or loaded
PE file contains executable resources (Code or Archives)

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
  • System is w10x64
  • REDRAGON Gaming Mouse.exe (PID: 5944 cmdline: "C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe" MD5: 55FE4EE7603ACFE95AC3DA87F701AD05)
    • REDRAGON Gaming Mouse.tmp (PID: 5936 cmdline: "C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp" /SL5="$4028C,19156318,421888,C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe" MD5: 89ED0CB7A3290A58DF3966D987350585)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: 1.2.REDRAGON Gaming Mouse.tmp.5057a70.0.unpackAvira: Label: TR/Patched.Ren.Gen
Source: REDRAGON Gaming Mouse.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: REDRAGON Gaming Mouse.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: REDRAGON Gaming Mouse.tmp, 00000001.00000002.587017828.0000000005269000.00000004.00001000.00020000.00000000.sdmpString found in binary or memory: http://dejavu-fonts.org
Source: REDRAGON Gaming Mouse.exe, 00000000.00000003.310902377.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, REDRAGON Gaming Mouse.exe, 00000000.00000003.310669381.0000000002370000.00000004.00001000.00020000.00000000.sdmp, REDRAGON Gaming Mouse.tmp, 00000001.00000000.312540941.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.innosetup.com/
Source: REDRAGON Gaming Mouse.exeString found in binary or memory: http://www.jrsoftware.org/ishelp/index.php?topic=setupcmdlineSetupU
Source: REDRAGON Gaming Mouse.exe, 00000000.00000003.310902377.000000007FD40000.00000004.00001000.00020000.00000000.sdmp, REDRAGON Gaming Mouse.exe, 00000000.00000003.310669381.0000000002370000.00000004.00001000.00020000.00000000.sdmp, REDRAGON Gaming Mouse.tmp, 00000001.00000000.312540941.0000000000401000.00000020.00000001.01000000.00000004.sdmpString found in binary or memory: http://www.remobjects.com/ps
Source: REDRAGON Gaming Mouse.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
Source: REDRAGON Gaming Mouse.exe, 00000000.00000003.310835868.00000000024D1000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs REDRAGON Gaming Mouse.exe
Source: REDRAGON Gaming Mouse.exe, 00000000.00000003.311170050.000000007FE9D000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameshfolder.dll~/ vs REDRAGON Gaming Mouse.exe
Source: REDRAGON Gaming Mouse.exeStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: REDRAGON Gaming Mouse.tmp.0.drStatic PE information: Resource name: RT_BITMAP type: GLS_BINARY_LSB_FIRST
Source: REDRAGON Gaming Mouse.tmp.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Windows\unins000.datJump to behavior
Source: REDRAGON Gaming Mouse.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (console) x86-64, for MS Windows
Source: REDRAGON Gaming Mouse.tmp.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeFile read: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeJump to behavior
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe "C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe"
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp "C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp" /SL5="$4028C,19156318,421888,C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe"
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp "C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp" /SL5="$4028C,19156318,421888,C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InProcServer32Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Program Files (x86)\REDRAGON Gaming MouseJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Users\user\AppData\Local\ProgramsJump to behavior
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeFile created: C:\Users\user\AppData\Local\Temp\is-LH247.tmpJump to behavior
Source: REDRAGON Gaming Mouse.exeString found in binary or memory: /LOADINF="filename"
Source: classification engineClassification label: clean12.winEXE@3/796@0/0
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOrganizationJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion RegisteredOwnerJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Install
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpAutomated click: Next >
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpWindow found: window name: TMainFormJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: REDRAGON Gaming Mouse.exeStatic file information: File size 19602731 > 1048576
Source: REDRAGON Gaming Mouse.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Data Obfuscation

barindex
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp "C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp" /SL5="$4028C,19156318,421888,C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe"
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeProcess created: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp "C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmp" /SL5="$4028C,19156318,421888,C:\Users\user\Desktop\REDRAGON Gaming Mouse.exe" Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Users\user\AppData\Local\Temp\is-CRAFL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Windows\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Windows\is-TLV8F.tmpJump to dropped file
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeFile created: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Windows\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpFile created: C:\Windows\is-TLV8F.tmpJump to dropped file
Source: C:\Users\user\Desktop\REDRAGON Gaming Mouse.exeProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpKey opened: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Keyboard Layouts\04090409Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\is-CRAFL.tmp\_isetup\_setup64.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpDropped PE file which has not been started: C:\Windows\unins000.exe (copy)Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpDropped PE file which has not been started: C:\Windows\is-TLV8F.tmpJump to dropped file
Source: C:\Users\user\AppData\Local\Temp\is-LH247.tmp\REDRAGON Gaming Mouse.tmpProcess information queried: ProcessInformationJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts12
Command and Scripting Interpreter
Path Interception1
Process Injection
22
Masquerading
OS Credential Dumping1
Process Discovery
Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization ScriptsBoot or Logon Initialization Scripts1
Software Packing
LSASS Memory2
System Owner/User Discovery
Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager11
System Information Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Deobfuscate/Decode Files or Information
NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet