Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location

 1title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
 2id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
 3status: test
 4description: |
 5    Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
 6    This behavior has been observed in-the-wild by different threat actors.    
 7references:
 8    - https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
 9    - https://en.wikipedia.org/wiki/IExpress
10    - https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
11    - https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
12author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
13date: 2024-02-05
14modified: 2024-06-04
15tags:
16    - attack.defense-evasion
17    - attack.t1218
18logsource:
19    category: process_creation
20    product: windows
21detection:
22    # VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
23    selection_img:
24        - Image|endswith: '\iexpress.exe'
25        - OriginalFileName: 'IEXPRESS.exe'
26    selection_cli:
27        CommandLine|contains|windash: ' /n '
28    selection_paths:
29        CommandLine|contains:
30            # Note: Add more uncommon paths that fit your organizational needs.
31            - ':\ProgramData\'
32            - ':\Temp\'
33            - ':\Windows\System32\Tasks\'
34            - ':\Windows\Tasks\'
35            - ':\Windows\Temp\'
36            - '\AppData\Local\Temp\'
37    condition: all of selection_*
38falsepositives:
39    - Administrators building packages using iexpress.exe
40level: high

References

• iexpress.exe | Wizard

  

  What is iexpress.exe?

  
  Read More

• IExpress - Wikipedia

  

  IExpress, a component of Windows 2000 and later versions of the operating system, is used to create self-extracting packages from a set of files. Such packages can be used to install software. IExp...

  
  Read More

• Raspberry Robin’s Roshtyak: A Little Lesson in Trickery

  

  Innovative Evasion Techniques in Roshtyak

  
  Read More

• VirusTotal

  VirusTotal

  
  Read More

Related rules

• Curl Download And Execute Combination
• DLL Loaded via CertOC.EXE
• Diskshadow Script Mode - Execution From Potential Suspicious Location
• Diskshadow Script Mode - Uncommon Script Extension Execution
• Insensitive Subfolder Search Via Findstr.EXE