Process

unknown

extrac32.exe

extrac32.exe extracts files from Windows cabinet (.cab) archives and can copy files. Like expand, it has a legitimate servicing role. Attackers use it to copy files, including across remote shares, through a signed binary for ingress and staging.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS4
  • extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exeADS · Extract data from cab file and hide it in an alternate data stream.
  • extrac32 {PATH_ABSOLUTE:.cab} {PATH_ABSOLUTE}:file.exeADS · Extract data from cab file and hide it in an alternate data stream.
  • extrac32 /Y /C {PATH_SMB} {PATH_ABSOLUTE}Download · Download file from UNC/WEBDav
  • extrac32.exe /C {PATH_ABSOLUTE:.source.exe} {PATH_ABSOLUTE:.dest.exe}Copy · Copy file

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

extrac32.exe unpacks .cab cabinet archives and can also copy a plain file from one location to another with the /c option. Source and destination can be UNC paths, so it reads and writes over the network. The genuine binary lives at C:\Windows\System32\extrac32.exe.

Legitimately, extrac32 is used in servicing and installer scenarios that handle cabinet files, which is uncommon interactively. The source and destination it operates on are what give an instance meaning.

Security notes

extrac32.exe is an ingress and staging tool (T1105). Its file-copy ability, including across UNC paths, lets an attacker pull a file onto the host or stage one through a trusted, signed binary, the same role as expand.exe. A copy from a remote share, or a payload-looking file landing in a user-writable directory, is what gives it away.

Because extrac32 has a real servicing purpose, the source and destination are what matter. A remote source or a suspicious destination under an unusual parent separates abuse from legitimate cabinet handling.

Anomaly signals4
  • Image path other than C:\Windows\System32\extrac32.exehigh
  • /c copying from or to a remote (\\host\share) pathhigh
  • Writing an executable or script into a user-writable pathhigh
  • Parent is an Office application, a script host, or an unfamiliar processhigh

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof extrac32.exe?
Edit this page on GitHub