choice.exe

• File Path: C:\Windows\SysWOW64\choice.exe
• Description: Offers the user a choice

Hashes

Type	Hash
MD5	FCE0E41C87DC4ABBE976998AD26C27E4
SHA1	6FA25E0162F4AB0ABF7BCD8368B03722244D81FF
SHA256	F6E5759793032BB3CE69658D0D4F0049A06E25FDC316D457846BB644212730AF
SHA384	B9EE098EA6984F9D916A9B6EC8FF5380B2481944F0CE76FD0F327CA288082AA728D6D4D53F6F306AEC6B596EC163F235
SHA512	EC348B6B0AE65A42021DA7765896A52CD7658295FF93065ECBD11ED7C509DBACF8E0FAEA5B9D2E13291CCE33A813A96D5C3C90A118E3949396B8B0424BAFBFBA
SSDEEP	768:frftNwW24gksQdc+bIyni4hTNGeLBHXyxnd3PX:frftNwhdP+ztnikMeLBHixd3P
IMP	A445244C63114214072FAF6C3DCE1438
PESHA1	6F1BE54FF6978CF5ACDDF933038CF3084EA5E9E9
PE256	EAE3CBE520820FEA0CA911D56615C55082D018E095A9980BE80BFAFD9BC4F3D8

Runtime Data

Usage (stdout):

CHOICE [/C choices] [/N] [/CS] [/T timeout /D choice] [/M text]

Description:
    This tool allows users to select one item from a list 
    of choices and returns the index of the selected choice.

Parameter List:
   /C    choices       Specifies the list of choices to be created.
                       Default list is "YN".

   /N                  Hides the list of choices in the prompt.
                       The message before the prompt is displayed
                       and the choices are still enabled.

   /CS                 Enables case-sensitive choices to be selected.
                       By default, the utility is case-insensitive.

   /T    timeout       The number of seconds to pause before a default 
                       choice is made. Acceptable values are from 0 to 
                       9999. If 0 is specified, there will be no pause 
                       and the default choice is selected.

   /D    choice        Specifies the default choice after nnnn seconds.
                       Character must be in the set of choices specified
                       by /C option and must also specify nnnn with /T.

   /M    text          Specifies the message to be displayed before 
                       the prompt. If not specified, the utility 
                       displays only a prompt.

   /?                  Displays this help message.

   NOTE:
   The ERRORLEVEL environment variable is set to the index of the
   key that was selected from the set of choices. The first choice
   listed returns a value of 1, the second a value of 2, and so on.
   If the user presses a key that is not a valid choice, the tool 
   sounds a warning beep. If tool detects an error condition,
   it returns an ERRORLEVEL value of 255. If the user presses 
   CTRL+BREAK or CTRL+C, the tool returns an ERRORLEVEL value
   of 0. When you use ERRORLEVEL parameters in a batch program, list
   them in decreasing order.

Examples:
   CHOICE /?
   CHOICE /C YNC /M "Press Y for Yes, N for No or C for Cancel."
   CHOICE /T 10 /C ync /CS /D y 
   CHOICE /C ab /M "Select a for option 1 and b for option 2."
   CHOICE /C ab /N /M "Select a for option 1 and b for option 2."

Usage (stderr):

ERROR: Invalid argument/option - '--help'.
Type "CHOICE /?" for usage.

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\choice.exe

Signature

• Status: Signature verified.
• Serial: 3300000266BD1580EFA75CD6D3000000000266
• Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
• Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
• Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

• Original Filename: choice.exe
• Product Name: Microsoft Windows Operating System
• Company Name: Microsoft Corporation
• File Version: 10.0.19041.1 (WinBuild.160101.0800)
• Product Version: 10.0.19041.1
• Language: English (United States)
• Legal Copyright: Microsoft Corporation. All rights reserved.
• Machine Type: 32-bit

File Scan

• VirusTotal Detections: 0/75
• VirusTotal Link: https://www.virustotal.com/gui/file/f6e5759793032bb3ce69658d0d4f0049a06e25fdc316d457846bb644212730af/detection

Possible Misuse

The following table contains possible examples of choice.exe being misused. While choice.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	edr_command_execution_by_office_applications.yml	#useful_information: Add more office applications to the rule logic of choice	DRL 1.0
sigma	file_event_win_script_creation_by_office_using_file_ext.yml	description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.	DRL 1.0
sigma	file_event_win_script_creation_by_office_using_file_ext.yml	#useful_information: Please add more file extensions to the logic of your choice.	DRL 1.0
sigma	proc_creation_win_lolbins_by_office_applications.yml	#useful_information: add more LOLBins to the rules logic of your choice.	DRL 1.0
sigma	proc_creation_win_lolbins_with_wmiprvse_parent_process.yml	#useful_information: add more LOLBins to the rules logic of your choice.	DRL 1.0
sigma	proc_creation_win_office_applications_spawning_wmi_commandline.yml	#useful_information: Add more office applications to the rule logic of choice	DRL 1.0
sigma	proc_creation_win_office_from_proxy_executing_regsvr32_payload.yml	#useful_information: add more LOLBins to the rules logic of your choice.	DRL 1.0
sigma	proc_creation_win_office_from_proxy_executing_regsvr32_payload2.yml	#useful_information: add more LOLBins to the rules logic of your choice.	DRL 1.0
sigma	proc_creation_win_office_spawning_wmi_commandline.yml	#useful_information: Add more office applications to the rule logic of choice	DRL 1.0
sigma	registry_event_wab_dllpath_reg_change.yml	title: Execution DLL of Choice Using WAB.EXE	DRL 1.0
sigma	file_event_executable_and_script_creation_by_office_using_file_ext.yml	description: This rule will monitor executable and script file creation by office applications. Please add more file extensions or magic bytes to the logic of your choice.	DRL 1.0
sigma	file_event_executable_and_script_creation_by_office_using_file_ext.yml	#useful_information: Please add more file extensions and magic bytes to the logic of your choice.	DRL 1.0
LOLBAS	Wab.yml	Description: Change HKLM\Software\Microsoft\WAB\DLLPath and execute DLL of choice
atomic-red-team	index.md	- Atomic Test #3: Maldoc choice flags command execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #3: Maldoc choice flags command execution [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	- Atomic Test #3 - Maldoc choice flags command execution	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	## Atomic Test #3 - Maldoc choice flags command execution	MIT License. © 2018 Red Canary
atomic-red-team	T1204.002.md	$macrocode = “ a = Shell("cmd.exe /c choice /C Y /N /D Y /T 3”, vbNormalFocus)”	MIT License. © 2018 Red Canary
signature-base	apt_eqgrp_apr17.yar	$x5 = “If one choice fails, you may want to try another.” fullword ascii	CC BY-NC 4.0
signature-base	apt_eqgrp_apr17.yar	$x1 = “[-] Error: Exploit choice not supported for target OS!!” fullword ascii	CC BY-NC 4.0
signature-base	gen_mal_backnet.yar	$s6 = “/C choice /C Y /N /D Y /T 4 & Del” wide	CC BY-NC 4.0
signature-base	gen_webshells.yar	// a good choice is a string with good atom quality = ideally 4 unusual characters next to each other	CC BY-NC 4.0
signature-base	thor-hacktools.yar	$s1 = “if not "%Choice%"=="" set Choice=%Choice:~0,1%” ascii	CC BY-NC 4.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.

---

choice

Prompts the user to select one item from a list of single-character choices in a batch program, and then returns the index of the selected choice. If used without parameters, choice displays the default choices Y and N.

Syntax

choice [/c [<choice1><choice2><…>]] [/n] [/cs] [/t <timeout> /d <choice>] [/m <text>]

Parameters

Parameter	Description
/c <choice1><choice2><…>	Specifies the list of choices to be created. Valid choices include a-z, A-Z, 0-9, and extended ASCII characters (128-254). The default list is YN, which is displayed as [Y,N]?.
/n	Hides the list of choices, although the choices are still enabled and the message text (if specified by /m) is still displayed.
/cs	Specifies that the choices are case-sensitive. By default, the choices are not case-sensitive.
/t <timeout>	Specifies the number of seconds to pause before using the default choice specified by /d. Acceptable values are from 0 to 9999. If /t is set to 0, choice does not pause before returning the default choice.
/d <choice>	Specifies the default choice to use after waiting the number of seconds specified by /t. The default choice must be in the list of choices specified by /c.
/m <text>	Specifies a message to display before the list of choices. If /m is not specified, only the choice prompt is displayed.
/?	Displays help at the command prompt.

Remarks

• The ERRORLEVEL environment variable is set to the index of the key that the user selects from the list of choices. The first choice in the list returns a value of 1, the second a value of 2, and so on. If the user presses a key that is not a valid choice, choice sounds a warning beep.

• If choice detects an error condition, it returns an ERRORLEVEL value of 255. If the user presses CTRL+BREAK or CTRL+C, choice returns an ERRORLEVEL value of 0.

[!NOTE] When you use ERRORLEVEL values in a batch program, you must list them in decreasing order.

Examples

To present the choices Y, N, and C, type the following line in a batch file:

choice /c ync

The following prompt appears when the batch file runs the choice command:

[Y,N,C]?

To hide the choices Y, N, and C, but display the text Yes, No, or Continue, type the following line in a batch file:

choice /c ync /n /m "Yes, No, or Continue?"

[!NOTE] If you use the /n parameter, but do not use /m, the user is not prompted when choice is waiting for input.

To show both the text and the options used in the previous examples, type the following line in a batch file:

choice /c ync /m "Yes, No, or Continue"

To set a time limit of five seconds and specify N as the default value, type the following line in a batch file:

choice /c ync /t 5 /d n

[!NOTE] In this example, if the user doesn’t press a key within five seconds, choice selects N by default and returns an error value of 2. Otherwise, choice returns the value corresponding to the user’s choice.

Additional References

• Command-Line Syntax Key

---

MIT License. Copyright (c) 2020-2021 Strontic.