> Analysis · d59dc2f22167_

~/packetpursuit $ cat /intel/analyses/d59dc2f22167.../report.md

typeanalysisfamilyasgardprotectorconfidencemediumcreated2026-05-27updated2026-05-27peloaderpackerevasionmalware-family
SHA-256: d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73

asgardprotector: d59dc2f2 — IExpress SFX dropper embedding AutoIt3 + compiled A3X script

Executive Summary

Microsoft Cabinet self-extractor (iexpress-sfx-dropper) repurposed as a silent dropper. Extracts AutoIt3.exe and a compiled .a3x script (Terminals.a3x) to a temp directory, then launches the script via the AutoIt interpreter — an autoit-compiled-script-dropper pattern. No CAPE detonation available; payload behavior is opaque statically. A sibling sample (d364a2f6, StatingConnectors.exe) uses the same build pattern with Dayton.a3x. The outer SFX carries a fabricated PE timestamp (2085).

What It Is

  • File: SomaliaCruises.exe, PE32+ x86-64, 1.87 MB.^[file.txt]
  • Build: MSVC 14.30 (VS 2022), linker version 14.30, compiled timestamp 2085:08:19 (fabricated).^[exiftool.json:15]^[pefile.txt:34]
  • Signature: Unsigned — the certificate directory is empty.^[pefile.txt:211] The original wextract.exe is Microsoft-signed, but this copy has been modified/repacked.
  • PDB: wextract.pdb, GUID 94098867-5fc9-b268-c53c-be826110dd1e.^[rabin2-info.txt:13]
  • Embedded archive: Microsoft Cabinet at offset 0x688BC (428,220), 1,484,468 bytes, containing 2 files.^[binwalk.txt:5]
  • Payload: AutoIt3.exe (1,107,552 bytes, PE32+ x86-64, AutoIt Consulting Ltd) and Terminals.a3x (1,018,943 bytes, compiled AutoIt script). Extracted via 7z from the CAB.

How It Works

The outer binary is wextract.exe, the IExpress CAB self-extractor shipped with Windows. Its standard behavior:

  1. Extracts the embedded CAB to a temporary directory (%TEMP%\msdownld.tmp or similar).^[strings.txt:100]
  2. Reads the RUNPROGRAM directive from the SED (Self-Extraction Directive) stored in the .rsrc section.^[strings.txt:91]
  3. Executes the post-extraction command.^[strings.txt:92]

In this sample, the RUNPROGRAM directive resolves to "AutoIt3.exe" Terminals.a3x at runtime.^[strings.txt:2954] The SFX also contains POSTRUNPROGRAM cleanup logic to delete extracted files after execution.^[strings.txt:92]

The .rsrc section (1.8 MB, entropy 7.44) holds the CAB archive plus an AVI spinner animation (resource ID 0xBB9).^[pefile.txt:159-175] The resource directory timestamp 0x64C97D89 (2023-08-01) differs from the PE header timestamp 0xD97FD45F (2085), confirming the SFX was repacked after original compilation.^[pefile.txt:535]

Decompiled Behavior

Ghidra analysis confirms the binary is unmodified wextract.exe entry logic:

  • Entry at 0x140001150 -> __security_init_cookie -> __mainCRTStartup.^[ghidra:entry-140001150]
  • RunInstallCommand (0x14000721c) reads the SED directives (RUNPROGRAM, POSTRUNPROGRAM, REBOOT, SHOWWINDOW) from the .rsrc section and executes the target command via CreateProcess-like logic.^[ghidra:RunInstallCommand-14000721c]
  • GetTempDirectory (0x14000521c) creates %TEMP%\msdownld.tmp, validates disk space, and sets extraction path.^[ghidra:GetTempDirectory-14000521c]
  • No anti-debug, anti-VM, or encryption in the outer SFX — it is a stock Microsoft tool with modified resources.

The malicious logic lives entirely inside the compiled Terminals.a3x, which is opaque without an AutoIt decompiler or dynamic execution.

C2 Infrastructure

None observable from static analysis. The compiled .a3x script is the only potential C2-bearing component, and it resists static string extraction. Floss failed on the outer binary (argument error).^[floss.txt] The AutoIt script is not a PE and was not analyzed by capa.^[capa.txt]

Interesting Tidbits

  • Filename bait: SomaliaCruises.exe — travel/tourism themed social-engineering lure.
  • Future-dated timestamp: PE header claims 2085 compilation, a common artifact of manual PE editing or IExpress repacking tools.
  • Sibling pattern: d364a2f6 (StatingConnectors.exe) is another asgardprotector sample with the same wextract.pdb + AutoIt3.exe + .a3x structure, using Dayton.a3x instead.^[sample d364a2f6/strings.txt]
  • Another SFX sibling: 87a158f2 (unclassified family) uses the same IExpress+AutoIt3 pattern with Easter.a3x, suggesting a broader cluster or builder tool.^[sample 87a158f2/strings.txt]
  • Floss failure: floss.txt contains only the CLI help text — the tool was invoked with a malformed --no argument, producing no string output.^[floss.txt] This is a pipeline bug, not a sample property.

How To Mess With It (Homelab Replication)

Reproducing an IExpress SFX dropper:

  1. Install IExpress (iexpress.exe is built into Windows).
  2. Create a SED file specifying:
    • AppLaunched="AutoIt3.exe" payload.a3x
    • PostInstallCmd=<None>
    • TargetName=output.exe
  3. Place AutoIt3.exe and payload.a3x in the source files list.
  4. Build. The resulting output.exe is a legitimate Microsoft-signed SFX (if you don't modify it post-build) that extracts and runs your payload.

To go malicious (like this sample):

  • Repack the SFX after build with a resource editor to strip the Microsoft signature and embed a larger CAB. Or use a third-party IExpress repacker.
  • Modify the PE timestamp to a future date.
  • Use a benign-sounding filename.

Verification step: binwalk output.exe should show Microsoft Cabinet archive data at a non-zero offset, and strings should reveal AutoIt3.exe and your .a3x name.

What you'll learn: How easily a native Windows binary can be repurposed into a dropper without writing a single line of C code, and why filename-based detection is weak against this pattern.

Deployable Signatures

YARA rule

rule AsgardProtector_IExpress_AutoIt_Dropper {
    meta:
        description = "IExpress/Wextract SFX embedding AutoIt3.exe and .a3x script"
        author = "PacketPursuit"
        date = "2026-05-27"
        hash = "d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73"
    strings:
        $wextract_pdb = "wextract.pdb" ascii
        $autoit3 = "AutoIt3.exe" ascii wide
        $a3x_ext = /\.a3x/ ascii wide
        $runprogram = "RUNPROGRAM" ascii
        $postrun = "POSTRUNPROGRAM" ascii
    condition:
        uint16(0) == 0x5A4D and
        $wextract_pdb and
        $autoit3 and
        $a3x_ext and
        ($runprogram or $postrun)
}

Sigma rule

title: IExpress SFX AutoIt Execution
status: experimental
description: Detects execution of IExpress self-extractor that drops and runs AutoIt3 with an .a3x script
logsource:
    category: process_creation
    product: windows
detection:
    selection_main:
        CommandLine|contains:
            - 'AutoIt3.exe'
            - '.a3x'
    selection_parent:
        ParentImage|endswith:
            - '\wextract.exe'
            - '\SomaliaCruises.exe'
            - '\StatingConnectors.exe'
    selection_temp:
        CommandLine|contains:
            - '\msdownld.tmp'
            - '\IXP'
    condition: selection_main and (selection_parent or selection_temp)
falsepositives:
    - Legitimate IExpress installers that happen to include AutoIt (rare)
level: high

IOC list

Indicator Type Notes
d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73 SHA-256 Outer SFX
5d69a932a077fee044b193c28e84564143f5c7e51079ab48e88fef74ab0b77b7 SHA-256 AutoIt3.exe payload
79d0909100aebf8fab15e0d925d7d1ae5cace5fa5c53ee9ac864944272c6a1df SHA-256 Terminals.a3x compiled script
SomaliaCruises.exe Filename Social-engineering lure
wextract.pdb PDB path Outer SFX marker
AutoIt3.exe + *.a3x File pair Post-extraction execution
%TEMP%\msdownld.tmp Directory Extraction target
rundll32.exe %sadvpack.dll,DelNodeRunDLL32 Cleanup command Post-run cleanup

Behavioral fingerprint

This binary is a PE32+ x64 Microsoft Cabinet self-extractor with a .rsrc section exceeding 1.8 MB and entropy >7.4. Upon execution, it writes AutoIt3.exe and a .a3x file to a temporary directory under %TEMP%, then launches the AutoIt interpreter with the compiled script as its argument. No network indicators are visible in the outer SFX; all malicious behavior is expected to reside in the compiled AutoIt script, which requires dynamic analysis or an AutoIt decompiler to inspect.

Detection Signatures

ATT&CK Technique Implementation Evidence
T1204.002 (User Execution: Malicious File) Double-click SFX lure Filename SomaliaCruises.exe^[triage.json:5]
T1059.005 (Command and Scripting Interpreter: Visual Basic) AutoIt3 script execution AutoIt3.exe + Terminals.a3x^[strings.txt:2954]
T1071 (Application Layer Protocol) Unknown — payload-dependent Requires dynamic analysis of .a3x
T1027 (Obfuscated Files or Information) Compiled AutoIt script (.a3x) Terminals.a3x is opaque binary^[binwalk.txt]
T1574.002 (Hijack Execution Flow: DLL Side-Loading) Not observed N/A

References

  • d59dc2f22167b0a44bf103d664842112981d4b3dbe62f7a27e671cddbbac9d73 (this analysis)
  • asgardprotector — family entity page
  • iexpress-sfx-dropper — concept page for the delivery mechanism
  • autoit-compiled-script-dropper — concept page for the payload pattern
  • Sibling: d364a2f6997fd4874ba180207f6785151532c0fd3f014e36d44f330d50037191 (StatingConnectors.exe, Dayton.a3x)
  • Cluster: 87a158f2dfdbc21bae4a72270df0e9e710434d7ae19d8b1ca206d26374a8a966 (Easter.a3x, unclassified)

Provenance

  • File type: file v5.45.^[file.txt]
  • PE sections & headers: pefile Python module.^[pefile.txt]
  • Strings: strings from binutils.^[strings.txt]
  • Floss: flare-floss v2.3.0 (failed due to CLI argument error).^[floss.txt]
  • Capa: Mandiant capa v7 (installer limitation warning).^[capa.txt]
  • Binwalk: binwalk v2.3.4.^[binwalk.txt]
  • radare2: rabin2 v5.9.2.^[rabin2-info.txt]
  • Ghidra: v12.1, decompiled entry and RunInstallCommand/GetTempDirectory.^[ghidra:entry-140001150]^[ghidra:RunInstallCommand-14000721c]^[ghidra:GetTempDirectory-14000521c]
  • CAB extraction: 7z v23.01.
  • No dynamic analysis available (CAPE skipped — no Windows guest).^[dynamic-analysis.md]