Windows Analysis Report
ACHViewer.exe

Overview

General Information

Sample name: ACHViewer.exe
Analysis ID: 1615144
MD5: 8df82d1e96898af7df911f286edd9132
SHA1: c4a1aac381a11e85c96d96cbb0da67759cfafad6
SHA256: 7afc4890ab9fe40c7f7bc2b79a3f1e48cf5f2bc14eaadf898ee70adf603e4ee7
Infos:

Detection

Score: 2
Range: 0 - 100
Confidence: 40%

Signatures

Creates a process in suspended mode (likely to inject code)
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Uses 32bit PE files
Uses cacls to modify the permissions of files

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
Uses 32bit PE files
Source: ACHViewer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\X130D1D58\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\X130D1D58\jexepackboot.class Jump to behavior
Source: ACHViewer.exe, 00000000.00000002.2905645059.00000000099C0000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: ACHViewer.exe, 00000000.00000002.2905645059.0000000009A09000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Uses 32bit PE files
Source: ACHViewer.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: classification engine Classification label: clean2.winEXE@4/4@0/0
Source: C:\Users\user\Desktop\ACHViewer.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7564:120:WilError_03
Source: C:\Users\user\Desktop\ACHViewer.exe File created: C:\Users\user\AppData\Local\Temp\X130D1D58 Jump to behavior
Source: ACHViewer.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\ACHViewer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File read: C:\Users\user\Desktop\ACHViewer.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\ACHViewer.exe "C:\Users\user\Desktop\ACHViewer.exe"
Source: C:\Users\user\Desktop\ACHViewer.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ACHViewer.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: vcruntime140.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: msvcp140.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Users\user\Desktop\ACHViewer.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\X130D1D58\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe File opened: C:\Users\user\AppData\Local\Temp\X130D1D58\jexepackboot.class Jump to behavior
Source: ACHViewer.exe, 00000000.00000003.1662339403.0000000014860000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: ACHViewer.exe, 00000000.00000003.1662339403.0000000014860000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: ACHViewer.exe, 00000000.00000002.2903017496.000000000063E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll.
Source: ACHViewer.exe, 00000000.00000002.2903017496.0000000000668000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: ACHViewer.exe, 00000000.00000003.1662339403.0000000014860000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: ACHViewer.exe, 00000000.00000002.2903017496.0000000000668000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: ACHViewer.exe, 00000000.00000003.1662339403.0000000014860000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: C:\Users\user\Desktop\ACHViewer.exe Memory protected: page read and write | page guard Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\ACHViewer.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Queries the installed Java version
Source: C:\Users\user\Desktop\ACHViewer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\ACHViewer.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7512 VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\ACHViewer.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
windows-stand
Behavior
Click here to start
Slideshow Behavior Animation
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 1615144 Sample: ACHViewer.exe Startdate: 14/02/2025 Architecture: WINDOWS Score: 2 6 ACHViewer.exe 11 2->6         started        process3 8 icacls.exe 1 6->8         started        process4 10 conhost.exe 8->10         started       
No contacted IP infos