runonce.exe

  • File Path: C:\windows\system32\runonce.exe
  • Description: Run Once Wrapper

Hashes

Type Hash
MD5 8AE95C9655D24787AC951D84C0999DDF
SHA1 2B8AAB68D31C0C974EEBB8014494193C01AF3257
SHA256 31F9A7FE6617B035DF0FD6BF0B21FCD33528B4962C15AF20CE617FDF0E57CF0A
SHA384 3F6C6CFAE42F08907B32FE57D49CC2C10956587AF1BBA0487E5EAD8B30B05A7E1083C283BD641AEDD22A96990C2FD0F4
SHA512 F5B3A6AB5A05E7E1169BF9896BA1B37BAA5FFAEB4883A486615CBFE62E5FEF422ED478C696D2661AFED8A441461EF3B11982041AE5415E76CBEA28F18A182327
SSDEEP 768:QddHN+igvj9/i1stBSnSDCwo9AktQLgaWH1hx6Kw/mpIaemN09og:QddHN+dZqmfo6tDmNg

Signature

  • Status: The file C:\windows\system32\runonce.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: RUNONCE.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of runonce.exe being misused. While runonce.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentCommandLine\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml Image\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_runonce_execution.yml - '\runonce.exe' DRL 1.0
sigma registry_event_runonce_persistence.yml description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup DRL 1.0
LOLBAS Runonce.yml Name: Runonce.exe  
LOLBAS Runonce.yml - Command: Runonce.exe /AlternateShellStartup  
LOLBAS Runonce.yml - Path: C:\Windows\System32\runonce.exe  
LOLBAS Runonce.yml - Path: C:\Windows\SysWOW64\runonce.exe  

MIT License. Copyright (c) 2020-2021 Strontic.