Virus:Win32/Expiro.EK!MTB - Windows Defender Threat Analysis

Virus:Win32/Expiro.EK!MTB is a highly sophisticated polymorphic file infector detected through concrete signatures and machine learning behavioral analysis. It exhibits extensive capabilities including process injection/hooking, persistence via scheduled tasks and BITS jobs, and execution via legitimate Windows utilities like rundll32 and PowerShell. This threat aims for deep system compromise and sustained malicious activity.

Relevant strings associated with this threat:
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)

rule Virus_Win32_Expiro_EK_2147899592_0
{
    meta:
        author = "threatcheck.sh"
        detection_name = "Virus:Win32/Expiro.EK!MTB"
        threat_id = "2147899592"
        type = "Virus"
        platform = "Win32: Windows 32-bit platform"
        family = "Expiro"
        severity = "Critical"
        info = "MTB: Microsoft Threat Behavior"
        signature_type = "SIGNATURE_TYPE_PEHSTR_EXT"
        threshold = "10"
        strings_accuracy = "High"
    strings:
        $x_5_1 = {55 53 0f 84 89 00 00 00 0f 85 83 00 00 00 00 00 00 00 53 56 68 02 01 00 00 0f 84 90 00 00 00 0f 85 8a 00 00 00 0f 84 35 e1 ff ff 0f 85 60 c4 ff ff e9 0f 84 6c 01 00 00 89 c6 89 e0 50 0f 84 f7 01 00 00 0f 85 f1 01 00 00 00 00 00 00 5d c2 04 00}  //weight: 5, accuracy: High
        $x_5_2 = {13 0f 84 41 01 00 00 0f 84 95 01 00 00 0f 85 8f 01 00 00 e9 0f 84 9e 00 00 00 47 3b 7c 1e 18 0f 82 70 01 00 00 0f 84 88 00 00 00 0f 85 82 00 00 00 00 00 00 00 57 56 83 ec 40 8b 44 24 54 8b 68 08 8b 38}  //weight: 5, accuracy: High
    condition:
        (filesize < 20MB) and
        (all of ($x*))
}

Immediately isolate the affected system(s) to prevent further spread. Conduct a full system scan with updated antivirus/EDR, remove all detected malicious files, and meticulously check for and remove any established persistence mechanisms (e.g., scheduled tasks, registry entries, BITS jobs). If complete eradication cannot be confirmed, re-image the system(s).