expand.exe
- File Path:
C:\Windows\SysWOW64\expand.exe - Description: LZ Expansion Utility
Hashes
| Type | Hash |
|---|---|
| MD5 | B245CEEC35156CB95CAB80865F1A6D56 |
| SHA1 | 79374B8230443624E788DF8C9B0964D9B5D16FD4 |
| SHA256 | F8603F7E5E3158E5E381854E1036781269C56A7671555628AB20C1102640AC3F |
| SHA384 | A53D012065A518179327DBA99528C12B1C933CE3D74A3A397ACB3503F36709EFCA13A38592933B185ECBDFB84B68B718 |
| SHA512 | C0930E0775EC60F8CA80D2FCA73B2721186F935FF8922F4AF02DB913D287F2EAA9532E325B062FFBD62F879458A5D93D2D2A11C833BB2D93368E294628CB6CE8 |
| SSDEEP | 768:C6xmXuiialKHTiPgnwFdPAMA2mciTtbnlveD7UUVAxCMUn:C6xiu/HOonwFdPAQmHT9nxtsMUn |
| IMP | 69150CCEA4BC1D53D379CE29BCAE7760 |
| PESHA1 | 4DCD88B2BE3EB13D2F0718E28ECD79A898167560 |
| PE256 | 80550E6E0DF28D6BE5E800BAF25E4B0C03537FD6978B78EDF089AB142863309E |
Runtime Data
Usage (stdout):
Microsoft (R) File Expansion Utility
Copyright (c) Microsoft Corporation. All rights reserved.
No destination specified for: help.
Loaded Modules:
| Path |
|---|
| C:\Windows\SYSTEM32\ntdll.dll |
| C:\Windows\System32\wow64.dll |
| C:\Windows\System32\wow64cpu.dll |
| C:\Windows\System32\wow64win.dll |
| C:\Windows\SysWOW64\expand.exe |
Signature
- Status: Signature verified.
- Serial:
33000001C422B2F79B793DACB20000000001C4 - Thumbprint:
AE9C1AE54763822EEC42474983D8B635116C8452 - Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: expand
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 5.00 (WinBuild.160101.0800)
- Product Version: 5.00
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/71
- VirusTotal Link: https://www.virustotal.com/gui/file/f8603f7e5e3158e5e381854e1036781269c56a7671555628ab20c1102640ac3f/detection/
File Similarity (ssdeep match)
| File | Score |
|---|---|
| C:\Windows\SysWOW64\CertEnrollCtrl.exe | 33 |
| C:\Windows\SysWOW64\CertEnrollCtrl.exe | 33 |
| C:\Windows\SysWOW64\expand.exe | 32 |
| C:\Windows\SysWOW64\tzutil.exe | 32 |
| C:\Windows\SysWOW64\tzutil.exe | 25 |
Possible Misuse
The following table contains possible examples of expand.exe being misused. While expand.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source | Source File | Example | License |
|---|---|---|---|
| sigma | sysmon_suspicious_remote_thread.yml | - '\expand.exe' |
DRL 1.0 |
| sigma | posh_pm_decompress_commands.yml | Payload\|contains: 'Expand-Archive' |
DRL 1.0 |
| sigma | proc_creation_win_expand_cabinet_files.yml | description: Adversaries can use the inbuilt expand utility to decompress cab files as seen in recent Iranian MeteorExpress attack |
DRL 1.0 |
| sigma | proc_creation_win_expand_cabinet_files.yml | - '\expand.exe' |
DRL 1.0 |
| LOLBAS | Expand.yml | Name: Expand.exe |
|
| LOLBAS | Expand.yml | - Command: expand \\webdav\folder\file.bat c:\ADS\file.bat |
|
| LOLBAS | Expand.yml | - Command: expand c:\ADS\file1.bat c:\ADS\file2.bat |
|
| LOLBAS | Expand.yml | - Command: expand \\webdav\folder\file.bat c:\ADS\file.txt:file.bat |
|
| LOLBAS | Expand.yml | - Path: C:\Windows\System32\Expand.exe |
|
| LOLBAS | Expand.yml | - Path: C:\Windows\SysWOW64\Expand.exe |
|
| atomic-red-team | T1003.001.md | Expand-Archive $zippath $parentpath\wce -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Expand-Archive $env:TEMP\Procdump.zip $env:TEMP\Procdump -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.001.md | Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.004.md | Expand-Archive $env:TEMP\PSTools.zip $env:TEMP\PSTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1003.006.md | Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.001.md | Adversaries may connect to a remote system over RDP/RDS to expand access if the service is enabled and allows access to accounts with known credentials. Adversaries will likely use Credential Access techniques to acquire credentials to use with RDP. Adversaries may also use RDP in conjunction with the Accessibility Features technique for Persistence.(Citation: Alperovitch Malware)</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1021.002.md | Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1027.md | Expand-Archive -path “$env:temp\T1027.zip” -DestinationPath “$env:temp\temp_T1027.zip" -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1036.md | Expand-Archive -Path $env:userprofile\Downloads\T1036.zip -DestinationPath $env:userprofile\Downloads\T1036 -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1048.002.md | Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.md | Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1055.012.md | $ppid=Get-Process #{parent_process_name} | select -expand id | MIT License. © 2018 Red Canary |
| atomic-red-team | T1071.001.md | Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl | MIT License. © 2018 Red Canary |
| atomic-red-team | T1090.003.md | expand-archive -LiteralPath “$env:temp\tor.zip” -DestinationPath “$env:temp\tor” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1095.md | Expand-Archive $zippath $parentpath -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1105.md | Expand-Archive -Path $env:temp\curl.zip -DestinationPath $env:temp\curl | MIT License. © 2018 Red Canary |
| atomic-red-team | T1134.004.md | $ppid=Get-Process #{parent_process_name} | select -expand id | MIT License. © 2018 Red Canary |
| atomic-red-team | T1207.md | Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1207.md | Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1485.md | Expand-Archive $env:TEMP\SDelete.zip $env:TEMP\Sdelete -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1548.002.md | Expand-Archive $env:TEMP\uacme.zip $env:TEMP\uacme -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1550.002.md | Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1550.003.md | Expand-Archive $env:TEMP\Mimi.zip $env:TEMP\Mimi -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1550.003.md | Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1555.003.md | After acquiring credentials from web browsers, adversaries may attempt to recycle the credentials across different systems and/or accounts in order to expand access. This can result in significantly furthering an adversary’s objective in cases where credentials gained from web browsers overlap with privileged accounts (e.g. domain administrator).</blockquote> | MIT License. © 2018 Red Canary |
| atomic-red-team | T1555.003.md | Expand-Archive #{file_path}\Modified-SysInternalsSuite.zip #{file_path}\sysinternals -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1558.001.md | $domain = gwmi Win32_ComputerSystem | Select -Expand Domain | MIT License. © 2018 Red Canary |
| atomic-red-team | T1558.001.md | Expand-Archive $env:TEMP\mimikatz.zip $env:TEMP\mimikatz -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Expand-Archive $env:TEMP\Sysmon.zip $env:TEMP\Sysmon -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | Expand-Archive $zippath $parentpath -Force; Remove-Item $zippath | MIT License. © 2018 Red Canary |
| atomic-red-team | T1562.001.md | expand-archive -LiteralPath “$env:temp\defendercontrol.zip” -DestinationPath “$env:temp\DefenderControl” | MIT License. © 2018 Red Canary |
| atomic-red-team | T1564.004.md | expand \webdav\folder\file.bat #{path}\file.txt:file.bat | MIT License. © 2018 Red Canary |
| atomic-red-team | T1569.002.md | Expand-Archive $env:TEMP\PsTools.zip $env:TEMP\PsTools -Force | MIT License. © 2018 Red Canary |
| atomic-red-team | T1588.002.md | Expand-Archive $env:temp\AdvancedRun.zip #{local_folder} -Force | MIT License. © 2018 Red Canary |
| signature-base | apt_op_honeybee.yar | $x1 = “cmd /c expand %TEMP%\setup.cab -F:* %SystemRoot%\System32” | CC BY-NC 4.0 |
| signature-base | gen_pirpi.yar | $x1 = “expand.exe1.gif” fullword ascii | CC BY-NC 4.0 |
| signature-base | gen_pirpi.yar | $c1 = “expand.exe” fullword ascii | CC BY-NC 4.0 |
| stockpile | cc191baa-7472-4386-a2f4-42f203f1acfd.yml | Expand-Archive -LiteralPath $download_folder"PSTools.zip" -DestinationPath $staging_folder; |
Apache-2.0 |
| stockpile | 0ef4cc7b-611c-4237-b20b-db36b6906554.yml | Expand-Archive -LiteralPath $download_folder"Procdump.zip" -DestinationPath $staging_folder; |
Apache-2.0 |
| stockpile | 46da2385-cf37-49cb-ba4b-a739c7a19de4.yml | Expand-Archive -LiteralPath xmrig-6.11.2-msvc-win64.zip -DestinationPath .\; |
Apache-2.0 |
Additional Info*
*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.
expand
Applies to: Windows Server 2022, Windows Server 2019, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012
Expands one or more compressed files. You can also use this command to retrieve compressed files from distribution disks.
The expand command can also run from the Windows Recovery Console, using different parameters. For more information, see Windows Recovery Environment (WinRE).
Syntax
expand [/r] <source> <destination>
expand /r <source> [<destination>]
expand /i <source> [<destination>]
expand /d <source>.cab [/f:<files>]
expand <source>.cab /f:<files> <destination>
Parameters
| Parameter | Description |
|---|---|
| /r | Renames expanded files. |
| source | Specifies the files to expand. Source can consist of a drive letter and colon, a directory name, a file name, or a combination of these. You can use wildcards (* or ?). |
| destination | Specifies where files are to be expanded.<p>If source consists of multiple files and you don’t specify /r, the destination must be a directory. Destination can consist of a drive letter and colon, a directory name, a file name, or a combination of these. Destination file | path specification. |
| /i | Renames expanded files but ignores the directory structure. |
| /d | Displays a list of files in the source location. Doesn’t expand or extract the files. |
/f:<files> |
Specifies the files in a cabinet (.cab) file that you want to expand. You can use wildcards (* or ?). |
| /? | Displays help at the command prompt. |
Additional References
MIT License. Copyright (c) 2020-2021 Strontic.