ScriptRunner.exe

  • File Path: C:\Windows\system32\ScriptRunner.exe
  • Description:

Hashes

Type Hash
MD5 EA8C42A5C14B808D6B73AC5A6A871379
SHA1 A9B8389A416AD24F057B10CD747BAD75CDC6A066
SHA256 CEC586A2E642D02E441D46EC48EA90825B506A38877312DD66C8824BF556D4C3
SHA384 B268ABFF69BFE1B31A3DEBF35235522919DE9C2BB0BC38D1FD23C807AC0FF166E6103B7B2DD174E3E82006ACDBF0157B
SHA512 61769B8FCF520DDE7C5DC7769BC2A0ADF672FE47AFCC67BA2271C2340D6A3078B0BA450880727CF4398A5B6194BC63D956AA3A83BDFA9219295882460E31CFDD
SSDEEP 384:69z/IFagu/0Ei6yymkWNwWGDBRJS4UslGsoi0:GzKG/0TLy4U1P000
IMP F34D5F2D4577ED6D9CEEC516C1F5A744
PESHA1 5000A22B2F0B429D8FA8D796EEA8CE2095C71F3B
PE256 6D6DC66D9C7E228941AF0604A7A37AC210A12C0D02E8CDD00CECB40B399563BE

Runtime Data

Usage (stdout):

Invalid argument specified: --help
Usage:
ScriptRunner.exe
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
-appvscript scriptFileName [Arguments] [-appvscriptrunnerparameters [-wait] [-timeout=<TimeInSeconds>] [-rollbackonerror]] 
...
Default values for -appvscriptrunnerparameters: No wait, No timeout, No rollback on error
Every parameter must be separated by a unicode space character (U+0020)
Example:
ScriptRunner.exe -appvscript foo.cmd arg1 arg2 -appvscriptrunnerparameters -wait -timeout=30 -rollbackonerror -appvscript foobar.exe arg1 arg2
Error: Invalid argument specified

Loaded Modules:

Path
C:\Windows\System32\KERNEL32.dll
C:\Windows\System32\KERNELBASE.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\system32\ScriptRunner.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: ScriptRunner.exe
  • Product Name: Microsoft (R) Windows (R) Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1320
  • Product Version: 10.0.19041.1320
  • Language: Language Neutral
  • Legal Copyright: Copyright (c) Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ScriptRunner.exe 55
C:\WINDOWS\system32\ScriptRunner.exe 46
C:\Windows\system32\ScriptRunner.exe 61
C:\WINDOWS\system32\ScriptRunner.exe 54
C:\Windows\system32\ScriptRunner.exe 63
C:\Windows\system32\ScriptRunner.exe 50

Possible Misuse

The following table contains possible examples of ScriptRunner.exe being misused. While ScriptRunner.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_win_shell_write_susp_directory.yml - '\scriptrunner.exe' DRL 1.0
sigma image_load_suspicious_dbghelp_dbgcore_load.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_office_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_outlook_shell.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_servu_process_pattern.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java.yml - '\scriptrunner.exe' DRL 1.0
sigma proc_creation_win_susp_shell_spawn_by_java_keytool.yml - '\scriptrunner.exe' DRL 1.0
LOLBAS Scriptrunner.yml Name: Scriptrunner.exe  
LOLBAS Scriptrunner.yml - Command: Scriptrunner.exe -appvscript calc.exe  
LOLBAS Scriptrunner.yml - Command: ScriptRunner.exe -appvscript "\\fileserver\calc.cmd"  
LOLBAS Scriptrunner.yml - Path: C:\Windows\System32\scriptrunner.exe  
LOLBAS Scriptrunner.yml - Path: C:\Windows\SysWOW64\scriptrunner.exe  
LOLBAS Scriptrunner.yml - IOC: Scriptrunner.exe should not be in use unless App-v is deployed  

MIT License. Copyright (c) 2020-2021 Strontic.