ScriptRunner.exe

  • File Path: C:\Windows\system32\ScriptRunner.exe
  • Description:

Hashes

Type Hash
MD5 E099F50577EC360B96513A9251480D99
SHA1 F80C7A4E555A9F97BCEBB45FBEBE09B550FD471A
SHA256 D6D5E0964DAD6114840ECB51CB7A56F9D4F8A71C53A5E0A6C3C7325EB44A2292
SHA384 61EA0128F20E829E359049811ADAA7EFEB6FCC93CC366E573F3AD35EA8261A8992A4AA0F1FE9F38AB7121B8CDC6D5ADC
SHA512 90FC18E5A1E2B2ECDAFD27F47B9747DFEBC66BDD0EA8DCB9A45BC936004E7C21BB7D5861CA5940F49E7E6322917871358C5FD3FF6AB557429FA00DC25A341935
SSDEEP 384:xCxp6xOagu/0Ei6smkWzwWRlRDBRJtzl2wwybCQ:Yp5G/0TDiH1Pt8wFz

Runtime Data

Usage (stdout):

Invalid argument specified: /h
Usage:
ScriptRunner.exe
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
...
Default values for -appvscriptrunnerparameters: No wait, No timeout, No rollback on error
Every parameter must be separated by a unicode space character (U+0020)
Example:
ScriptRunner.exe -appvscript foo.cmd arg1 arg2 -appvscriptrunnerparameters -wait -timeout=30 -rollbackonerror -appvscript foobar.exe arg1 arg2
Error: Invalid argument specified

Signature

  • Status: Signature verified.
  • Serial: 33000001733031072665B8B9B3000000000173
  • Thumbprint: 14590DC5C3AAF238FCFD7785B4B93F4071402C34
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScriptRunner.exe
  • Product Name: Microsoft (R) Windows (R) Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0
  • Product Version: 10.0.14393.0
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ScriptRunner.exe 46
C:\WINDOWS\system32\ScriptRunner.exe 52
C:\Windows\system32\ScriptRunner.exe 46
C:\WINDOWS\system32\ScriptRunner.exe 47
C:\Windows\system32\ScriptRunner.exe 43
C:\Windows\system32\ScriptRunner.exe 50

Possible Misuse

The following table contains possible examples of ScriptRunner.exe being misused. While ScriptRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_win_shell_write_susp_directory.yml - '\scriptrunner.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\scriptrunner.exe' DRL 1.0
LOLBAS Scriptrunner.yml Name: Scriptrunner.exe  
LOLBAS Scriptrunner.yml - Command: Scriptrunner.exe -appvscript calc.exe  
LOLBAS Scriptrunner.yml - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"  
LOLBAS Scriptrunner.yml - Path: C:\Windows\System32\scriptrunner.exe  
LOLBAS Scriptrunner.yml - Path: C:\Windows\SysWOW64\scriptrunner.exe  
LOLBAS Scriptrunner.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed  

MIT License. Copyright (c) 2020-2021 Strontic.