hxxps://www[.]poly[.]com/in/en/support/downloads-apps

General

Target

https://www.poly.com/in/en/support/downloads-apps
Sample

210117-6tswpdfc2n

Score

6^/10

Malware Config

Signatures

JavaScript code in executable 1 IoCs

Processes:

yara_rule

js

yara_rule
js

Modifies Internet Explorer settings 1 TTPs 83 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "106"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "209"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "218"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "330"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 7039abee00edd601	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "218"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "330"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "374"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "634"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000039e08b06c84715459283081ff7bb5a6000000000020000000000106600000001000020000000fbf4d49f18b7130a90b04c905407ea037a20571e5c5b8da8c46fd1f2156caa33000000000e80000000020000200000002910604b76aa3e3047f0346bc5d84ecb40f51a21d722557e32c6220f19fa4e1f200000002c72ed5dafbbac59a35dae2734b86b4d01608f50ee2ee5f00f51f96c6f4af1d74000000035fa39fa24bb5beba54334e02aad10a33240229601848812012b38cb9afac2046d25e387a9878a87839eb33c036039fc75b10b83de08cdb53489c165b21144ba	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{12F2C481-58F4-11EB-BA33-6280D915632E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "48"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "218"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "327"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "503"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "223"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "376"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "634"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "281"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "48"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "48"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "106"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "281"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "330"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "503"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "158"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\www.poly.com\ = "223"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "634"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "238"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com\Total = "281"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "327"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\poly.com	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "106"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "374"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

iexplore.exe

pid process

2028 iexplore.exe
Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid process

2028 iexplore.exe
2028 iexplore.exe
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE
1960 IEXPLORE.EXE

pid	process
2028	iexplore.exe

pid	process
2028	iexplore.exe
2028	iexplore.exe
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE
1960	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

iexplore.exe

description	pid	process	target process
PID 2028 wrote to memory of 1960	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1960	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1960	2028	iexplore.exe	IEXPLORE.EXE
PID 2028 wrote to memory of 1960	2028	iexplore.exe	IEXPLORE.EXE

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://www.poly.com/in/en/support/downloads-apps
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2028 CREDAT:275457 /prefetch:2
2⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1960

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
fb5a71220df6636e24bf8dfdda3b4503

SHA1
9d32ba7957850cdae98ebb5ae4e17dd1b2ae3449

SHA256
45d542df53ddf61402ff2616ee0a5efadef3b8036cc523a115a1e51971ccebcf

SHA512
1bd38d8999f50fd5421594645c2ed65723ac3d815e3bf4503f825843584cf5581d5e2a34bfaa7afa465ab8024aeef9c4b3d6af329bdcf1e2ecab079afc20b75b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_1DC6D7385EA816C957BA2B715AC5C442
MD5
be21ea9a0a3ad156fa0e7a4cdd7c68c5

SHA1
1c74d90a77ab7ec1fbb3bc4bf3ce2a4e80b82abf

SHA256
5867aa785cfc06d7eeb2e541966a595100a566222712edbc6d4ed615d1c43bb5

SHA512
8b84837ee895f844a8661437fff94f530d3fae59c4f82462ef1c031cdd4cc0528dd50abe389ca64b5335cc8b52bd52360f75955154d33479aebacd5b9a89f641

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
21bcef2acb007960545273f8a3d2e2c6

SHA1
7ac0eb5edabfe668b2bd0697a772ce652b79c5ac

SHA256
26c173953419ce5b17751a01f1cac3e1b678b5e407de4b45a201565f8d8ade1d

SHA512
e65f0138d5b113520ef8839a922a04ec89c0c762bdcd9db67d2f8736ae607d4f6214337d5e517807997bf13de06765fbba65949ebcea38338f8ae251c870fa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\w5ukms8\imagestore.dat
MD5
5c61d92a860921978ee39d971664e3b1

SHA1
d95db201fbd62aeb5dbe427aa7c87dbfe1319296

SHA256
28b90bd8a5194fc6e57edc0d24d641210c8301f48b0981fcbe33d7b1038a5b9d

SHA512
258bce292c65be2b643399337ad01fcc8cc8e1d700637b6d95c25a9545fcffcee6b8cf9982e12b59966d456ab6869a11530cb7ec2de903bd845ab55051a8c6b9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PZO6NQHI.txt
MD5
1fff22454fda62f9b831fa9c81d41fd5

SHA1
6934c0d34da54e4fae5071b10d8ba6e5dd2ca4aa

SHA256
38f3cd9ec00ec273d480e2e34895953747ac7b89352fe9c3fa09aaff87674f0a

SHA512
8764e98f92ca8ce0713b5ea9a98cd61f1996f849b46f0f320f7f8077332d7b142ea98cb3ac2b443d9136c45d26df9d8dfd0b48e21fe88adc84c209029f373f85

Download Submit
memory/916-2-0x000007FEF7E60000-0x000007FEF80DA000-memory.dmp

Filesize
2.5MB

Download
memory/1960-12-0x000000000CF36000-0x000000000CF37000-memory.dmp

Filesize
4KB

Download
memory/1960-15-0x000000000762E000-0x000000000762F000-memory.dmp

Filesize
4KB

Download
memory/1960-10-0x000000000CF40000-0x000000000CF41000-memory.dmp

Filesize
4KB

Download
memory/1960-8-0x000000000CF36000-0x000000000CF37000-memory.dmp

Filesize
4KB

Download
memory/1960-7-0x000000000763F000-0x0000000007640000-memory.dmp

Filesize
4KB

Download
memory/1960-13-0x000000000FEF5000-0x000000000FEF6000-memory.dmp

Filesize
4KB

Download
memory/1960-14-0x000000000FEF5000-0x000000000FEF6000-memory.dmp

Filesize
4KB

Download
memory/1960-9-0x0000000008F9B000-0x0000000008F9C000-memory.dmp

Filesize
4KB

Download
memory/1960-16-0x00000000111A3000-0x00000000111A4000-memory.dmp

Filesize
4KB

Download
memory/1960-18-0x00000000122FE000-0x00000000122FF000-memory.dmp

Filesize
4KB

Download
memory/1960-17-0x00000000122FC000-0x00000000122FD000-memory.dmp

Filesize
4KB

Download
memory/1960-19-0x000000001230B000-0x000000001230C000-memory.dmp

Filesize
4KB

Download
memory/1960-6-0x0000000004BE7000-0x0000000004BE8000-memory.dmp

Filesize
4KB

Download
memory/1960-5-0x0000000000400000-0x0000000000402000-memory.dmp

Filesize
8KB

Download
memory/1960-4-0x0000000075C31000-0x0000000075C33000-memory.dmp

Filesize
8KB

Download
memory/1960-3-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing