Security Mechanic

Security Mechanic

Other payload of Security Mechanic:

It will modify Windows Registry and add the following entries:

  • HKEY_CLASSES_ROOT\CLSID\{107a1d63-2eaa-4694-8aba-ec209c630d83}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\App Paths\lsascs.exe
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Shell
  • Extensions\Approved\{107a1d63-2eaa-4694-8aba-ec209c630d83}
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Current Version\Run “Security Mechanic”

The threat will drop the following malicious files:

  • %UserProfile%\Application Data\Microsoft\windll32.exe
  • %UserProfile%\Application Data\lsascs.exe
  • %UserProfile%\Application Data\spyprotector
  • %UserProfile%\Application Data\setup.exe
  • %UserProfile%\Application Data\shellex.dll
  • %ProgramFiles%\Security Mechanic
  • %WINDOWS\System32\spyprotector.cpl
  • %Documents and Settings%\[User]\Application Data\SpyProtector\SC_Base_new.dat
  • %Documents and Settings%\[User]\Application Data\SpyProtector\SC_Config.ini

Leave a Comment