Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Sigma rule (View on GitHub)
1title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
2id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
3status: experimental
4description: |
5 Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
6 This behavior has been observed in-the-wild by different threat actors.
7references:
8 - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
9 - https://en.wikipedia.org/wiki/IExpress
10 - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
11 - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
12author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
13date: 2024-02-05
14modified: 2024-06-04
15tags:
16 - attack.defense-evasion
17 - attack.t1218
18logsource:
19 category: process_creation
20 product: windows
21detection:
22 # VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
23 selection_img:
24 - Image|endswith: '\iexpress.exe'
25 - OriginalFileName: 'IEXPRESS.exe'
26 selection_cli:
27 CommandLine|contains|windash: ' /n '
28 selection_paths:
29 CommandLine|contains:
30 # Note: Add more uncommon paths that fit your organizational needs.
31 - ':\ProgramData\'
32 - ':\Temp\'
33 - ':\Windows\System32\Tasks\'
34 - ':\Windows\Tasks\'
35 - ':\Windows\Temp\'
36 - '\AppData\Local\Temp\'
37 condition: all of selection_*
38falsepositives:
39 - Administrators building packages using iexpress.exe
40level: high
References
-
-
IExpress, a component of Windows 2000 and later versions of the operating system, is used to create self-extracting packages from a set of files. Such packages can be used to install software. IExp...
Read More -
We take a deep dive into Roshtyak, the DLL backdoor payload associated with Raspberry Robin. Roshtyak is full of anti-analysis tricks. Some are well-known, and some we have never seen before. From a technical perspective, the lengths Roshtyak takes to protect itself are extremely interesting. Roshtyak belongs to one of the best-protected malware strains we have ever seen. We hope by publishing our research and analysis of the malware and its protection tricks we will help fellow researchers recognize and respond to similar tricks, and harden their analysis environments, making them more resistant to the evasion techniques described.
Read More -
Related rules
- Abusing Print Executable
- AddinUtil.EXE Execution From Uncommon Directory
- AgentExecutor PowerShell Execution
- Arbitrary DLL or Csproj Code Execution Via Dotnet.EXE
- Arbitrary File Download Via MSOHTMED.EXE