← Back to Explore
sigmahighHunting
Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations. This behavior has been observed in-the-wild by different threat actors.
Detection Query
selection_img:
- Image|endswith: \iexpress.exe
- OriginalFileName: IEXPRESS.exe
selection_cli:
CommandLine|contains|windash: " /n "
selection_paths:
CommandLine|contains:
- :\ProgramData\
- :\Temp\
- :\Windows\System32\Tasks\
- :\Windows\Tasks\
- :\Windows\Temp\
- \AppData\Local\Temp\
condition: all of selection_*
Author
Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
Created
2024-02-05
Data Sources
windowsProcess Creation Events
Platforms
windows
References
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
Tags
attack.defense-evasionattack.t1218
Raw Content
title: Self Extracting Package Creation Via Iexpress.EXE From Potentially Suspicious Location
id: b2b048b0-7857-4380-b0fb-d3f0ab820b71
status: test
description: |
Detects the use of iexpress.exe to create binaries via Self Extraction Directive (SED) files located in potentially suspicious locations.
This behavior has been observed in-the-wild by different threat actors.
references:
- https://strontic.github.io/xcyclopedia/library/iexpress.exe-D594B2A33EFAFD0EABF09E3FDC05FCEA.html
- https://en.wikipedia.org/wiki/IExpress
- https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/
- https://www.virustotal.com/gui/file/602f4ae507fa8de57ada079adff25a6c2a899bd25cd092d0af7e62cdb619c93c/behavior
author: Joseliyo Sanchez, @Joseliyo_Jstnk, Nasreddine Bencherchali (Nextron Systems)
date: 2024-02-05
modified: 2024-06-04
tags:
- attack.defense-evasion
- attack.t1218
logsource:
category: process_creation
product: windows
detection:
# VT Query: behavior_processes:"iexpress.exe" and behavior_processes:"/n /q /m" and behavior_processes:"*.sed*" and p:5+
selection_img:
- Image|endswith: '\iexpress.exe'
- OriginalFileName: 'IEXPRESS.exe'
selection_cli:
CommandLine|contains|windash: ' /n '
selection_paths:
CommandLine|contains:
# Note: Add more uncommon paths that fit your organizational needs.
- ':\ProgramData\'
- ':\Temp\'
- ':\Windows\System32\Tasks\'
- ':\Windows\Tasks\'
- ':\Windows\Temp\'
- '\AppData\Local\Temp\'
condition: all of selection_*
falsepositives:
- Administrators building packages using iexpress.exe
level: high