Security Manager - Registry Nodes

Add-in Express™ Support Service
That's what is more important than anything else

Security Manager - Registry Nodes
 
Subscribe
Martin Praxmarer




Posts: 316
Joined: 2008-05-19
Hi,

one of our customers contacted us because of some "wildfire report" brings malicious activities when sending mails from our application. in fact they are concerned about the registry entrys which are created - can you please share some infos about this activities?

1. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{4D076AB4-7562-427A-B5D2-BD96E19DEE56}\<DEFAULT> to value secman
2. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\secman.DLL\AppID to value {4D076AB4-7562-427A-B5D2-BD96E19DEE56}
3. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager.1\<DEFAULT> to value OutlookSecurityManager Class
4. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager.1\CLSID\<DEFAULT> to value {826D7151-8D99-434B-8540-082B8C2AE556}
5. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\<DEFAULT> to value OutlookSecurityManager Class
6. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\CLSID\<DEFAULT> to value {826D7151-8D99-434B-8540-082B8C2AE556}
7. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\secman.OutlookSecurityManager\CurVer\<DEFAULT> to value secman.OutlookSecurityManager.1
8. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\<DEFAULT> to value OutlookSecurityManager Class
9. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\ProgID\<DEFAULT> to value secman.OutlookSecurityManager.1
10. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\VersionIndependentProgID\<DEFAULT> to value secman.OutlookSecurityManager
11. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\InprocServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
12. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\InprocServer32\ThreadingModel to value Apartment
13. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\AppID to value {4D076AB4-7562-427A-B5D2-BD96E19DEE56}
14. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{826D7151-8D99-434B-8540-082B8C2AE556}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
15. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\<DEFAULT> to value secman 1.0 Type Library
16. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\FLAGS\<DEFAULT> to value 0
17. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\0\win32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
18. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{11549FE4-7C5A-4C17-9FC3-56FC5162A994}\1.0\HELPDIR\<DEFAULT> to value
19. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
20. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
21. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
22. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
23. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\TypeLib\Version to value 1.0
24. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
25. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
26. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {00020424-0000-0000-C000-000000000046}
27. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\TypeLib\<DEFAULT> to value {11549FE4-7C5A-4C17-9FC3-56FC5162A994}
28. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\TypeLib\Version to value 1.0
29. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
30. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\ThreadingModel to value Both
31. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value PSFactoryBuffer
32. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
33. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
34. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\NumMethods\<DEFAULT> to value 11
35. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
36. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
37. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods\<DEFAULT> to value 12
38. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\<DEFAULT> to value c:\documents and settings\administrator\sample.dll
39. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\InProcServer32\ThreadingModel to value Both
40. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value PSFactoryBuffer
41. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
42. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\<DEFAULT> to value IOutlookSecurityManager
43. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}\NumMethods\<DEFAULT> to value 11
44. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\ProxyStubClsid32\<DEFAULT> to value {66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}
45. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\<DEFAULT> to value IOutlookSecurityManager2
46. Set key \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}\NumMethods\<DEFAULT> to value 12
47. Created Process C:\WINDOWS\system32\dwwin.exe -x -s 176
48. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and Settings\Administrator\Application Data
49. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Personal to value C:\Documents and Settings\Administrator\My Documents
50. Created mutex CTF.LBES.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
51. Created mutex CTF.Compart.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
52. Created mutex CTF.Asm.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
53. Created mutex CTF.Layouts.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
54. Created mutex CTF.TMD.MutexDefaultS-1-5-21-515967899-776561741-1417001333-500
55. Created mutex CTF.TimListCache.FMPDefaultS-1-5-21-515967899-776561741-1417001333-500MUTEX.DefaultS-1-5-21-515967899-776561741-1417001333-500
56. Created file C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\91C8C3.dmp
57. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cache to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files
58. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5
59. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths to value 4
60. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache1
61. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache2
62. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache3
63. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath to value C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\Cache4
64. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit to value 8000000
65. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit to value 8000000
66. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit to value 8000000
67. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit to value 8000000
68. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Cookies to value C:\Documents and Settings\Administrator\Cookies
69. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\History to value C:\Documents and Settings\Administrator\Local Settings\History
70. Created mutex c:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
71. Created mutex c:!documents and settings!administrator!cookies!
72. Created mutex c:!documents and settings!administrator!local settings!history!history.ie5!
73. Created mutex WininetConnectionMutex
74. Created mutex RasPbFile
75. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData to value C:\Documents and Settings\All Users\Application Data
76. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\AppData to value C:\Documents and Settings\Administrator\Application Data
77. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\MigrateProxy to value 1
78. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable to value 0
79. Set key \REGISTRY\MACHINE\SYSTEM\ControlSet001\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable to value 0
80. Set key \REGISTRY\USER\S-1-5-21-515967899-776561741-1417001333-500\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings to value NULL
81. Created mutex MSCTF.Shared.MUTEX.MDH
82. Created mutex MSCTF.Shared.MUTEX.MDH
83. Created Process C:\WINDOWS\system32\drwtsn32 -p 1880 -e 228 -g
84. Set key \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders\Common AppData to value C:\Documents and Settings\All Users\Application Data
85. Created file C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\drwtsn32.log
Posted 10 Mar, 2020 02:58:40 Top
Andrei Smolin


Add-in Express team


Posts: 16999
Joined: 2006-05-11
Hello Martin,

Items 1-46 relate to our Outlook Security Manager. Actually, these items can be found using this "rule": these items are the registry keys and values containing the substrings below
- "secman",
- "OutlookSecurityManager",
- "{4D076AB4-7562-427A-B5D2-BD96E19DEE56}",
- "{11549FE4-7C5A-4C17-9FC3-56FC5162A994}",
- "{66EEF543-A9AC-4A9D-AA3C-1ED148AC8EEE}",
- "{66EEF543-A9AC-4A9D-AA3C-1ED148AC8FFE}",
- "{826D7151-8D99-434B-8540-082B8C2AE556}" (32bit) or "{2F35794D-4574-4BCF-B0A5-3B16AF985788}" (64bit).

These registry keys are created as part of COM registration of Security Manager files: secman.dll (secman64.dll).

The remaining items look to be part of normal functioning of Windows. Say, 47:dwwin.ex is a debugger; see https://answers.microsoft.com/en-us/windows/forum/all/werfault-and-dwwin-exe-errors/c21991f6-267c-4630-ac43-cb31823b0e6b. 83:drwtsn32 - this is obviously Doctor Watson; 85 being its log file.

56:91C8C3.dmp - you'll have to experiment to find the program creating that file; the file name will obviously change.

I wouldn't be surprised if mutexex 71-73 are created by IE or Outlook running; IE, Outlook or a program using the WebBrowser component might be responsible for any keys/values containing "Internet Settings" and "Shell Folders".

Note that all the keys created in HKLM require administrative permissions. The user may avoid the assumed risk associated with such keys by starting applications non elevated. Registering Outlook Security Manager files require elevated permissions, though. I assume that you use a .NET or VCL version of the Security Manager. If so, they allow using two deployment scenarios; the second one doesn't require administrative privileges:

Register both secman.dll and secman64.dll as COM servers; this requires administrative privileges. Note that you only need to register secman64.dll on a 64bit PC. This approach allows specifying a profile-independent location for the files. Pay attention, please, that you should place secman.dll and secman64.dll as shared DLLs into the shared folder of Windows, Common Files \ Outlook Security Manager. Do not unregister secman.dll and secman64.dll if they exist in that folder when you install your product.
Put secman.dll and secman64.dll into the folder where all files of your application are located. This approach doesn't require registering the files.


Regards from Belarus (GMT+3),

Andrei Smolin
Add-in Express Team Leader
Posted 10 Mar, 2020 04:34:04 Top