runonce.exe

  • File Path: C:\WINDOWS\SysWOW64\runonce.exe
  • Description: Run Once Wrapper

Hashes

Type Hash
MD5 9B63659A4122786214421EBEE16F3ED9
SHA1 A545B253B63C011AADA635830BBF00F2ABA01180
SHA256 8152D550176E103B3BE1C0606FD1D869913AF58A33D0AF7D3C302A42A3D6AD1D
SHA384 9522CDB4CC13EEAFE04DA9AAC5F894127B6DF60E7AD6DF9C2D708AE2CF6FC4EE9E0D4CA4CB91DAD92871F222A2EB8A4D
SHA512 C1F1118086E0B0081A2007B7DB3BA2B300604544DE5AD544D72D0B7DBF37AD5EE248927E79B268CC20C362F99C78271AF1D02A01334729E86E07E737161B2AF9
SSDEEP 1536:T6XqN0sXKkPrOKbp0Ea5sSsuQXD10rSZvP5OhK:TRN0sXKCpysSsJh0rcn5
IMP 96D496B206827E208C5D7E3DD59947C0
PESHA1 CC147C64AC8BA4884F1D4D317A279A8CC05CC3F0
PE256 B797B211A0E968A88E6E0DFAC1B9570977FF7660C943B8ACB4A832C26EC06E14

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\runonce.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RUNONCE.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/8152d550176e103b3be1c0606fd1d869913af58a33d0af7d3c302a42a3d6ad1d/detection

Possible Misuse

The following table contains possible examples of runonce.exe being misused. While runonce.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentCommandLine\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml Image\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_runonce_execution.yml - '\runonce.exe' DRL 1.0
sigma registry_event_runonce_persistence.yml description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup DRL 1.0
LOLBAS Runonce.yml Name: Runonce.exe  
LOLBAS Runonce.yml - Command: Runonce.exe /AlternateShellStartup  
LOLBAS Runonce.yml - Path: C:\Windows\System32\runonce.exe  
LOLBAS Runonce.yml - Path: C:\Windows\SysWOW64\runonce.exe  

MIT License. Copyright (c) 2020-2021 Strontic.