typeconceptconfidencehighcreated2026-05-27updated2026-05-27packerevasionpemalware-family

IExpress SFX Dropper

The Microsoft IExpress/Wextract self-extractor (wextract.exe) repurposed as a malware dropper. The outer PE is a legitimate Windows system binary that extracts an embedded Cabinet archive to a temp directory and executes a post-extraction command defined in a Self-Extraction Directive (SED).

Pattern Definition

Outer PE: wextract.exe or a binary with wextract.pdb.
Embedded CAB: Stored in .rsrc, extracted to %TEMP%\msdownld.tmp or similar.
SED directives: RUNPROGRAM, POSTRUNPROGRAM, REBOOT, SHOWWINDOW stored as string resources.
Execution: The RUNPROGRAM command is launched via CreateProcess after extraction.

Variants

Signed variant: Original IExpress output retains Microsoft Authenticode. Rarely seen in malware because the CAB and SED must be embedded at build time.
Unsigned/repacked variant: More common. The SFX is rebuilt or resource-edited to strip the signature, modify the CAB, and change the timestamp. Seen in asgardprotector.

Defensive Detection

PE with wextract.pdb but no valid Microsoft signature.
.rsrc entropy >7.0 and size >1 MB (CAB payload).
Parent process wextract.exe spawning unexpected child processes (e.g., AutoIt3.exe, .vbs, .bat).

Cross-References

asgardprotector — family using this pattern
autoit-compiled-script-dropper — payload type commonly paired with this concept

> Concept · IExpress SFX Dropper_

IExpress SFX Dropper

Pattern Definition

Variants

Defensive Detection

Cross-References