ScriptRunner.exe

  • File Path: C:\Windows\system32\ScriptRunner.exe
  • Description:

Hashes

Type Hash
MD5 C64357854C5214AC178B78EF1A17042F
SHA1 464B383C00C609B633191FAFC93D72685653C832
SHA256 267D6422A1AE5E633A04129388FC8BEC82FD751E0130E5998F1168BEFEC38058
SHA384 A10621E8323F8809AF7015DF8AC8E701C39CFD0BD271D34DB6003A5B644C920A5C263FC7F1413755802BCA12FF5F8B07
SHA512 2E610EBF219F5B7519B774FFD2029A28EC387E7709C695B7EE66AB261C83606203C44D1F3DA054E0A0727C0E9E8946DB9D7CE0ED60E964FBA672D03595D7B178
SSDEEP 384:+9z/IFagu/0Ei6yymaWl4wWHer6wDDBRJ5Sifl+Puh+9:yzKG/0TLyRBer6wD1PP69
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 56328C4174DD67123BA5334C96FAE9FBDB20D5F2
PE256 BB3E29AB0705957FD7EFE7F15F4587E3618B275582DCDF53000A91BD7518A2B1

Runtime Data

Usage (stdout):

Invalid argument specified: --help
Usage:
ScriptRunner.exe
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
...
Default values for -appvscriptrunnerparameters: No wait, No timeout, No rollback on error
Every parameter must be separated by a unicode space character (U+0020)
Example:
ScriptRunner.exe -appvscript foo.cmd arg1 arg2 -appvscriptrunnerparameters -wait -timeout=30 -rollbackonerror -appvscript foobar.exe arg1 arg2
Error: Invalid argument specified

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.dll
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\ScriptRunner.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScriptRunner.exe
  • Product Name: Microsoft (R) Windows (R) Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.488
  • Product Version: 10.0.19041.488
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/267d6422a1ae5e633a04129388fc8bec82fd751e0130e5998f1168befec38058/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll 43
C:\Windows\system32\DeviceCensus.exe 29
C:\Windows\system32\LocationFrameworkPS.dll 33
C:\Windows\system32\migwiz\migres.dll 36
C:\Windows\system32\ResetEngine.exe 43
C:\Windows\system32\ResetEngine.exe 41
C:\Windows\system32\ScriptRunner.exe 50
C:\WINDOWS\system32\ScriptRunner.exe 47
C:\Windows\system32\ScriptRunner.exe 74
C:\WINDOWS\system32\ScriptRunner.exe 57
C:\Windows\system32\ScriptRunner.exe 43
C:\Windows\system32\ScriptRunner.exe 63
C:\Windows\system32\WerEnc.dll 30
C:\Windows\SystemApps\MicrosoftWindows.UndockedDevKit_cw5n1h2txyewy\UndockedDevKit.exe 36
C:\Windows\SysWOW64\backgroundTaskHost.exe 32
C:\Windows\SysWOW64\dllhost.exe 32
C:\Windows\SysWOW64\WerEnc.dll 40

Possible Misuse

The following table contains possible examples of ScriptRunner.exe being misused. While ScriptRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_win_shell_write_susp_directory.yml - '\scriptrunner.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\scriptrunner.exe' DRL 1.0
LOLBAS Scriptrunner.yml Name: Scriptrunner.exe  
LOLBAS Scriptrunner.yml - Command: Scriptrunner.exe -appvscript calc.exe  
LOLBAS Scriptrunner.yml - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"  
LOLBAS Scriptrunner.yml - Path: C:\Windows\System32\scriptrunner.exe  
LOLBAS Scriptrunner.yml - Path: C:\Windows\SysWOW64\scriptrunner.exe  
LOLBAS Scriptrunner.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed  

MIT License. Copyright (c) 2020-2021 Strontic.