choice.exe

  • File Path: C:\WINDOWS\system32\choice.exe
  • Description: Offers the user a choice

Hashes

Type Hash
MD5 A77F6B3FF432FB9B92901974FB382117
SHA1 A2C960E3BA9AE346242B79D4A2D746F593C1ACF8
SHA256 FB6EF3E6E2CDFC22AD75D999665CF64A4B02CA71AA2BE08094153316C71D65F5
SHA384 A24F4DC2C327BBCABD76B608EBA4C57C553FA0CC08FAEEB54CFAFDA98FDC7FBAA64FFBCB6068C462E7690BEB1B151F6E
SHA512 D1C4720CE770D6CFA899D72C83FE299E4DD268BEE442C023C78A65A6F5F55B4285F49EF1750E1D6550DEBAEA8AEDF982822D89404D8B4B2F5ABBE73891BE2540
SSDEEP 768:pXw5dGayID4A6EtcQkXvCuGccWDCRDkr/rBpW3ltxFc5XA:pXwhyIEtocRLpcRDkr/Y3xS5XA
IMP FF7589A0EC4EB53BB14D713605AB2EB3
PESHA1 7C5F2CC0AE27D5986F91EFFEC36A76A3FC38A259
PE256 121FF6328676A21775E0761866EAD43C1995E1C053DD759912218D8E602DF8F9

Runtime Data

Usage (stdout):


CHOICE [/C choices] [/N] [/CS] [/T timeout /D choice] [/M text]

Description:
    This tool allows users to select one item from a list 
    of choices and returns the index of the selected choice.

Parameter List:
   /C    choices       Specifies the list of choices to be created.
                       Default list is "YN".

   /N                  Hides the list of choices in the prompt.
                       The message before the prompt is displayed
                       and the choices are still enabled.

   /CS                 Enables case-sensitive choices to be selected.
                       By default, the utility is case-insensitive.

   /T    timeout       The number of seconds to pause before a default 
                       choice is made. Acceptable values are from 0 to 
                       9999. If 0 is specified, there will be no pause 
                       and the default choice is selected.

   /D    choice        Specifies the default choice after nnnn seconds.
                       Character must be in the set of choices specified
                       by /C option and must also specify nnnn with /T.

   /M    text          Specifies the message to be displayed before 
                       the prompt. If not specified, the utility 
                       displays only a prompt.

   /?                  Displays this help message.

   NOTE:
   The ERRORLEVEL environment variable is set to the index of the
   key that was selected from the set of choices. The first choice
   listed returns a value of 1, the second a value of 2, and so on.
   If the user presses a key that is not a valid choice, the tool 
   sounds a warning beep. If tool detects an error condition,
   it returns an ERRORLEVEL value of 255. If the user presses 
   CTRL+BREAK or CTRL+C, the tool returns an ERRORLEVEL value
   of 0. When you use ERRORLEVEL parameters in a batch program, list
   them in decreasing order.

Examples:
   CHOICE /?
   CHOICE /C YNC /M "Press Y for Yes, N for No or C for Cancel."
   CHOICE /T 10 /C ync /CS /D y 
   CHOICE /C ab /M "Select a for option 1 and b for option 2."
   CHOICE /C ab /N /M "Select a for option 1 and b for option 2."

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "CHOICE /?" for usage.

Loaded Modules:

Path
C:\WINDOWS\system32\choice.exe
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: choice.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/fb6ef3e6e2cdfc22ad75d999665cf64a4b02ca71aa2be08094153316c71d65f5/detection

Possible Misuse

The following table contains possible examples of choice.exe being misused. While choice.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma edr_command_execution_by_office_applications.yml #useful_information: Add more office applications to the rule logic of choice DRL 1.0
sigma file_event_win_script_creation_by_office_using_file_ext.yml description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. DRL 1.0
sigma file_event_win_script_creation_by_office_using_file_ext.yml #useful_information: Please add more file extensions to the logic of your choice. DRL 1.0
sigma proc_creation_win_lolbins_by_office_applications.yml #useful_information: add more LOLBins to the rules logic of your choice. DRL 1.0
sigma proc_creation_win_lolbins_with_wmiprvse_parent_process.yml #useful_information: add more LOLBins to the rules logic of your choice. DRL 1.0
sigma proc_creation_win_office_applications_spawning_wmi_commandline.yml #useful_information: Add more office applications to the rule logic of choice DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml #useful_information: add more LOLBins to the rules logic of your choice. DRL 1.0
sigma proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml #useful_information: add more LOLBins to the rules logic of your choice. DRL 1.0
sigma proc_creation_win_office_spawning_wmi_commandline.yml #useful_information: Add more office applications to the rule logic of choice DRL 1.0
sigma registry_event_wab_dllpath_reg_change.yml title: Execution DLL of Choice Using WAB.EXE DRL 1.0
sigma file_event_executable_and_script_creation_by_office_using_file_ext.yml description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice. DRL 1.0
sigma file_event_executable_and_script_creation_by_office_using_file_ext.yml #useful_information: Please add more file extensions and magic bytes to the logic of your choice. DRL 1.0
LOLBAS Wab.yml Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice  
atomic-red-team index.md - Atomic Test #3: Maldoc choice flags command execution [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #3: Maldoc choice flags command execution [windows] MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md - Atomic Test #3 - Maldoc choice flags command execution MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md ## Atomic Test #3 - Maldoc choice flags command execution MIT License. © 2018 Red Canary
atomic-red-team T1204.002.md $macrocode = “ a = Shell("cmd.exe /c choice /C Y /N /D Y /T 3”, vbNormalFocus)” MIT License. © 2018 Red Canary
signature-base apt_eqgrp_apr17.yar $x5 = “If one choice fails, you may want to try another.” fullword ascii CC BY-NC 4.0
signature-base apt_eqgrp_apr17.yar $x1 = “[-] Error: Exploit choice not supported for target OS!!” fullword ascii CC BY-NC 4.0
signature-base gen_mal_backnet.yar $s6 = “/C choice /C Y /N /D Y /T 4 & Del” wide CC BY-NC 4.0
signature-base gen_webshells.yar // a good choice is a string with good atom quality = ideally 4 unusual characters next to each other CC BY-NC 4.0
signature-base thor-hacktools.yar $s1 = “if not "%Choice%"=="" set Choice=%Choice:~0,1%” ascii CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


choice

Prompts the user to select one item from a list of single-character choices in a batch program, and then returns the index of the selected choice. If used without parameters, choice displays the default choices Y and N.

Syntax

choice [/c [<choice1><choice2><…>]] [/n] [/cs] [/t <timeout> /d <choice>] [/m <text>]

Parameters

Parameter Description
/c <choice1><choice2><…> Specifies the list of choices to be created. Valid choices include a-z, A-Z, 0-9, and extended ASCII characters (128-254). The default list is YN, which is displayed as [Y,N]?.
/n Hides the list of choices, although the choices are still enabled and the message text (if specified by /m) is still displayed.
/cs Specifies that the choices are case-sensitive. By default, the choices are not case-sensitive.
/t <timeout> Specifies the number of seconds to pause before using the default choice specified by /d. Acceptable values are from 0 to 9999. If /t is set to 0, choice does not pause before returning the default choice.
/d <choice> Specifies the default choice to use after waiting the number of seconds specified by /t. The default choice must be in the list of choices specified by /c.
/m <text> Specifies a message to display before the list of choices. If /m is not specified, only the choice prompt is displayed.
/? Displays help at the command prompt.

Remarks

  • The ERRORLEVEL environment variable is set to the index of the key that the user selects from the list of choices. The first choice in the list returns a value of 1, the second a value of 2, and so on. If the user presses a key that is not a valid choice, choice sounds a warning beep.

  • If choice detects an error condition, it returns an ERRORLEVEL value of 255. If the user presses CTRL+BREAK or CTRL+C, choice returns an ERRORLEVEL value of 0.

[!NOTE] When you use ERRORLEVEL values in a batch program, you must list them in decreasing order.

Examples

To present the choices Y, N, and C, type the following line in a batch file:

choice /c ync

The following prompt appears when the batch file runs the choice command:

[Y,N,C]?

To hide the choices Y, N, and C, but display the text Yes, No, or Continue, type the following line in a batch file:

choice /c ync /n /m "Yes, No, or Continue?"

[!NOTE] If you use the /n parameter, but do not use /m, the user is not prompted when choice is waiting for input.

To show both the text and the options used in the previous examples, type the following line in a batch file:

choice /c ync /m "Yes, No, or Continue"

To set a time limit of five seconds and specify N as the default value, type the following line in a batch file:

choice /c ync /t 5 /d n

[!NOTE] In this example, if the user doesn’t press a key within five seconds, choice selects N by default and returns an error value of 2. Otherwise, choice returns the value corresponding to the user’s choice.

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.