New Self Extracting Package Created Via IExpress.exe

    Monday, December 2, 2024 In: Threat Research Print

    Date: 12/02/2024

    Severity: Medium

    Summary

    Detects the use of the "iexpress.exe" utility to create self-extracting packages. Attackers have been observed leveraging "iexpress" to dynamically compile packages using ".sed" files. Investigate the command-line options passed to "iexpress," and if a ".sed" file is involved, review its contents and verify its legitimacy.

    Indicators of Compromise (IOC) List

    ParentImage : 

    '\iexpress.exe'

    Image : 

    '\makecab.exe'

     '\iexpress.exe'

    OriginalFileName :

    'Makecab.exe'

    'IEXPRESS.exe'

    CommandLine : 

    ' /n '

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    (Resourcename = "Windows Security"  AND eventtype = "4688"  ) AND parentprocessname like "\iexpress.exe"  AND processname like "\makecab.exe"

    Detection Query 2 :

    (Technologygroup = "EDR" ) AND parentprocessname like "\iexpress.exe"  AND processname like "\makecab.exe"

    Detection Query 3 :

    (resourcename = "Windows Security"  AND eventtype = "4688"  ) AND (processname like "\iexpress.exe"  AND commandline like "/n")

    Detection Query 4 :

    technologygroup = "EDR" AND (processname like "\iexpress.exe"  AND commandline like "/n") 

    Reference:   

    https://github.com/SigmaHQ/sigma/blob/master/rules-threat-hunting/windows/process_creation/proc_creation_win_iexpress_execution.yml 


    Tags

    MalwareSigmaIExpress

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.