Windows Analysis Report
awg.exe

Overview

General Information

Sample name: awg.exe
Analysis ID: 1532545
MD5: 6f6e6d9de9a73f3d631647fc7d11896a
SHA1: cb3d2905dab453fabfbdc45b8ad29ae949976bbc
SHA256: 83e87f0785fcff3c76b18178cb0dad18693e5de192eec095c3eeb15c97f9c0b4
Tags: exeuser-Bacn
Infos:

Detection

Score: 48
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for submitted file
Contains functionality to communicate with device drivers
Detected potential crypto function
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
PE file contains sections with non-standard names
Program does not show much activity (idle)
Sample file is different than original file name gathered from version info

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: awg.exe Virustotal: Detection: 12% Perma Link
Source: awg.exe Static PE information: certificate valid
Source: awg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D404C30 SetupDiGetClassDevsExW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,SetupDiEnumDeviceInfo,WideCharToMultiByte,malloc,WideCharToMultiByte,strlen,free,realloc,memcpy,_errno,free,SetupDiEnumDeviceInfo,GetLastError,calloc,free,SetupDiDestroyDeviceInfoList,FindFirstFileA,memcpy,FindNextFileA,memcmp,strlen,realloc,_errno,_errno,_errno,_errno,_errno,FindClose,_errno,_errno,_errno,free, 0_2_00007FF73D404C30
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D406500 FindFirstFileA,FindNextFileA,strcmp,FindNextFileA,FindClose,strcmp, 0_2_00007FF73D406500
Source: awg.exe String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: awg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAR36.crl0y
Source: awg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: awg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingCAR36.crl0z
Source: awg.exe String found in binary or memory: http://crl.sectigo.com/SectigoPublicTimeStampingRootR46.crl0
Source: awg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAR36.crt0#
Source: awg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: awg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingCAR36.crt0#
Source: awg.exe String found in binary or memory: http://crt.sectigo.com/SectigoPublicTimeStampingRootR46.p7c0#
Source: awg.exe String found in binary or memory: http://ocsp.comodoca.com0
Source: awg.exe String found in binary or memory: http://ocsp.sectigo.com0
Source: awg.exe String found in binary or memory: https://git.zx2c4.com/wireguard-tools/
Source: awg.exe String found in binary or memory: https://sectigo.com/CPS0
Source: awg.exe String found in binary or memory: https://www.wireguard.com/D
Contains functionality to communicate with device drivers
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D406C50: fwrite,fwrite,strchr,fwrite,fputc,fflush,strlen,strchr,strcmp,strtoll,_errno,_errno,_errno,_errno,_errno,calloc,free,fclose,_errno,fwrite,DeviceIoControl,_errno,_errno,free,CloseHandle, 0_2_00007FF73D406C50
Detected potential crypto function
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D404C30 0_2_00007FF73D404C30
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D406C50 0_2_00007FF73D406C50
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D402710 0_2_00007FF73D402710
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D4052A0 0_2_00007FF73D4052A0
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D3F511B 0_2_00007FF73D3F511B
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D406750 0_2_00007FF73D406750
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D4047B0 0_2_00007FF73D4047B0
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D4029D0 0_2_00007FF73D4029D0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\awg.exe Code function: String function: 00007FF73D40C760 appears 47 times
Sample file is different than original file name gathered from version info
Source: awg.exe, 00000000.00000000.1747520957.00007FF73D41C000.00000002.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe
Source: awg.exe Binary or memory string: OriginalFilenamewg.exe4 vs awg.exe
Source: classification engine Classification label: mal48.winEXE@2/0@0/0
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4040:120:WilError_03
Source: awg.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\awg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: awg.exe Virustotal: Detection: 12%
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: --help
Source: awg.exe String found in binary or memory: --help
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: You may pass `--help' to any of these subcommands to view usage.
Source: awg.exe String found in binary or memory: --help
Source: awg.exe String found in binary or memory: --help
Source: awg.exe String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump]
Source: awg.exe String found in binary or memory: interfaces%s%c-h--helphelpUsage: %s %s { <interface> | all | interfaces } [public-key | private-key | listen-port | fwmark | peers | preshared-keys | endpoints | allowed-ips | latest-handshakes | transfer | persistent-keepalive | dump]
Source: unknown Process created: C:\Users\user\Desktop\awg.exe "C:\Users\user\Desktop\awg.exe"
Source: C:\Users\user\Desktop\awg.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\awg.exe Section loaded: devobj.dll Jump to behavior
Source: C:\Users\user\Desktop\awg.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\awg.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: awg.exe Static PE information: certificate valid
Source: awg.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: awg.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: awg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: awg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: awg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: awg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: awg.exe Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
PE file contains sections with non-standard names
Source: awg.exe Static PE information: section name: .00cfg
Found large amount of non-executed APIs
Source: C:\Users\user\Desktop\awg.exe API coverage: 5.2 %
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D404C30 SetupDiGetClassDevsExW,SetupDiEnumDeviceInfo,GetLastError,GetLastError,SetupDiEnumDeviceInfo,WideCharToMultiByte,malloc,WideCharToMultiByte,strlen,free,realloc,memcpy,_errno,free,SetupDiEnumDeviceInfo,GetLastError,calloc,free,SetupDiDestroyDeviceInfoList,FindFirstFileA,memcpy,FindNextFileA,memcmp,strlen,realloc,_errno,_errno,_errno,_errno,_errno,FindClose,_errno,_errno,_errno,free, 0_2_00007FF73D404C30
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D406500 FindFirstFileA,FindNextFileA,strcmp,FindNextFileA,FindClose,strcmp, 0_2_00007FF73D406500
Source: awg.exe, 00000000.00000003.1748799407.000002B0ADB9D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Program does not show much activity (idle)
Source: all processes Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected
Source: C:\Users\user\Desktop\awg.exe Code function: 0_2_00007FF73D3F1160 Sleep,Sleep,_initterm,SetUnhandledExceptionFilter,_set_invalid_parameter_handler,malloc,strlen,malloc,memcpy,_cexit, 0_2_00007FF73D3F1160

No Screenshots

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1532545 Sample: awg.exe Startdate: 13/10/2024 Architecture: WINDOWS Score: 48 10 Multi AV Scanner detection for submitted file 2->10 6 awg.exe 1 2->6         started        process3 process4 8 conhost.exe 6->8         started       
No contacted IP infos