File name:	lummaps1.zip
Full analysis:	https://app.any.run/tasks/086e6949-e34d-4614-9f8e-03fc50f13e5d
Verdict:	Malicious activity
Threats:	HijackLoader is a modular malware acting as a vehicle for distributing different types of malicious software on compromised systems. It gained prominence during the summer of 2023 and has since been used in multiple attacks against organizations from various sectors, including hospitality businesses. A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. Malware Trends Tracker >>>
Analysis date:	May 15, 2025, 16:22:58
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	arch-scr auto generic hijackloader loader
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v5.1 to extract, compression method=AES Encrypted
MD5:	70ED92ED5A70E73D6DC19F1AFCD9AA18
SHA1:	D370D34E450BEC59D40A5FF7E2D7448A9A326132
SHA256:	277443C934C624EB4401CD04C57EF1AAE3306DD4CC3BCC782395F2055FA3A7C7
SSDEEP:	384:LdtU/LDMrzjLL1UmLEm/CHayVi0VoVuUQOhphYO:LPU/YjLLT3yeVCOh0O

ZipRequiredVersion:	51
ZipBitFlag:	0x0003
ZipCompression:	Unknown (99)
ZipModifyDate:	2025:05:15 16:14:06
ZipCRC:	0x8355915b
ZipCompressedSize:	12777
ZipUncompressedSize:	17777
ZipFileName:	0f6998c8df794ca2e22ac859bb5b5eabb30031e3f99510aa21a6352c220616a0.ps1


(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	3
Value: C:\Users\admin\Desktop\preferences.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	2
Value: C:\Users\admin\Desktop\chromium_ext.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\omni_23_10_2024_.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\Desktop\lummaps1.zip
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(6872) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100

PID	Process	Filename		Type
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Crort.hl		binary
		MD5:CC600AEA5A7CE4508D0E553ACF3F3CDA	SHA256:46398A8E92B09C61D7859615EE9605009715C28CDBD64435532B5211A7556583
5116	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache		binary
		MD5:3F95A05381C6D14195F6A1538F5FBADE	SHA256:0E753E9AD3EDE811C17D076B462F85321B8F559C2E462AF0990A1653573A525F
5116	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_i2vhcti2.ajl.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Quickhad.iwpn		abr
		MD5:F6CF6282BDD86CCC3CD4C4009632A0DA	SHA256:02B5E970698077A5A27162474E110132C267127EEEAC1876F56FDACD1FADA878
2240	AMatrix_Electro16.exe	C:\ProgramData\writerUltra\msvcp140.dll		executable
		MD5:9FF712C25312821B8AEC84C4F8782A34	SHA256:517CD3AAC2177A357CCA6032F07AD7360EE8CA212A02DD6E1301BF6CFADE2094
5116	powershell.exe	C:\Users\admin\AppData\Roaming\msvcp140.dll		executable
		MD5:9FF712C25312821B8AEC84C4F8782A34	SHA256:517CD3AAC2177A357CCA6032F07AD7360EE8CA212A02DD6E1301BF6CFADE2094
2240	AMatrix_Electro16.exe	C:\Users\admin\AppData\Local\Temp\F78A324.tmp		—
		MD5:—	SHA256:—
5116	powershell.exe	C:\Users\admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms		binary
		MD5:B5B94A98E44FF969E5F03DA26513E939	SHA256:64EEA78A2943D2D994360B39BD051F35E30A26196BA5B12C1E77C248CCD0C143
5116	powershell.exe	C:\Users\admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive		binary
		MD5:F87C5193E4A1E27AD73EF8B1C577BF57	SHA256:88C9D3BA2B93AE0293C585317FE58F6291BB72B3B1B2F369AFEEFAF8BA7FFEDC
2240	AMatrix_Electro16.exe	C:\ProgramData\writerUltra\Quickhad.iwpn		binary
		MD5:F6CF6282BDD86CCC3CD4C4009632A0DA	SHA256:02B5E970698077A5A27162474E110132C267127EEEAC1876F56FDACD1FADA878

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	2.16.168.114:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
6028	SIHClient.exe	GET	200	23.219.150.101:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	40.127.240.158:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.248:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
5116	powershell.exe	74.112.186.157:443	app.box.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
5116	powershell.exe	74.112.186.164:443	public.boxcloud.com	GOOGLE-CLOUD-PLATFORM	US	whitelisted
6028	SIHClient.exe	20.109.210.53:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6028	SIHClient.exe	2.16.168.114:80	crl.microsoft.com	Akamai International B.V.	RU	whitelisted
6028	SIHClient.exe	23.219.150.101:80	www.microsoft.com	AKAMAI-AS	CL	whitelisted
6028	SIHClient.exe	40.69.42.241:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	40.127.240.158	whitelisted
google.com	142.250.185.206	whitelisted
client.wns.windows.com	172.211.123.248	whitelisted
app.box.com	74.112.186.157	whitelisted
public.boxcloud.com	74.112.186.164	whitelisted
slscr.update.microsoft.com	20.109.210.53	whitelisted
crl.microsoft.com	2.16.168.114 2.16.168.124	whitelisted
www.microsoft.com	23.219.150.101	whitelisted
fe3cr.delivery.mp.microsoft.com	40.69.42.241	whitelisted
activation-v2.sls.microsoft.com	20.83.72.98	whitelisted

PID	Process	Class	Message
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage
—	—	Not Suspicious Traffic	ET INFO Windows Powershell User-Agent Usage

General Info

lummaps1.zip

70ED92ED5A70E73D6DC19F1AFCD9AA18

D370D34E450BEC59D40A5FF7E2D7448A9A326132

277443C934C624EB4401CD04C57EF1AAE3306DD4CC3BCC782395F2055FA3A7C7

384:LdtU/LDMrzjLL1UmLEm/CHayVi0VoVuUQOhphYO:LPU/YjLLT3yeVCOh0O

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Bypass execution policy to execute commands

Generic archive extractor

GENERIC has been found (auto)

HIJACKLOADER has been detected (YARA)

Executing a file with an untrusted certificate

SUSPICIOUS

Converts a specified value to a byte (POWERSHELL)

Process drops legitimate windows executable

Extracts files to a directory (POWERSHELL)

Executable content was dropped or overwritten

The process drops C-runtime libraries

Gets file extension (POWERSHELL)

INFO

Script raised an exception (POWERSHELL)

Manual execution by a user

Uses string replace method (POWERSHELL)

Gets data length (POWERSHELL)

Converts byte array into ASCII string (POWERSHELL)

Creates files in the program directory

Reads the computer name

The sample compiled with english language support

Disables trace logs

Checks if a key exists in the options dictionary (POWERSHELL)

Checks supported languages

Checks whether the specified file exists (POWERSHELL)

Create files in a temporary directory

Creates files or folders in the user directory

The sample compiled with chinese language support

Checks proxy server information

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings