runonce.exe

  • File Path: C:\Windows\system32\runonce.exe
  • Description: Run Once Wrapper

Hashes

Type Hash
MD5 AED7DA262BA66AB6ADAB2010CA4B35F4
SHA1 A8343DDF05407934DE92F9BE461D4B97D6F8CB63
SHA256 3A03F1D1EA3403CC2C81CA8F49E0330BE7AC9E05EF5CD16352F12B43FB9E4E38
SHA384 EEDC01E81EE2C61DBEF9D39CDCF85B99A9D53C08D4BD1247432D516A9ACA6B2E2B7412ABF7D4596DC1D279E880BA3AB1
SHA512 4B50748D0E2F1B0D5FC1527013BAC45370ECB427D60F95BC0FFB5916A9329E09A76451CBAE778713EF68F52510817C907C9FA1837788FC3330C2A52725EEBA8C
SSDEEP 1536:EoziWRwNqkzNRZ59thN9twj42NlgYG3c2xt:5Vw9D+N6l3c2j

Signature

  • Status: Signature verified.
  • Serial: 33000000BCE120FDD27CC8EE930000000000BC
  • Thumbprint: E85459B23C232DB3CB94C7A56D47678F58E8E51E
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: RUNONCE.EXE.MUI
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of runonce.exe being misused. While runonce.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_suspicious_remote_thread.yml - '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentImage\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_cobaltstrike_process_patterns.yml ParentCommandLine\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml description: setupapi.dll library provide InstallHinfSection function for processing INF files. INF file may contain instructions allowing to create values in the registry, modify files and install drivers. This technique could be used to obtain persistence via modifying one of Run or RunOnce registry keys, run process or use other DLLs chain calls (see references) InstallHinfSection function in setupapi.dll calls runonce.exe executable regardless of actual content of INF file. DRL 1.0
sigma proc_creation_win_susp_rundll32_setupapi_installhinfsection.yml Image\|endswith: '\runonce.exe' DRL 1.0
sigma proc_creation_win_susp_runonce_execution.yml - '\runonce.exe' DRL 1.0
sigma registry_event_runonce_persistence.yml description: Rule to detect the configuration of Run Once registry key. Configured payload can be run by runonce.exe /AlternateShellStartup DRL 1.0
LOLBAS Runonce.yml Name: Runonce.exe  
LOLBAS Runonce.yml - Command: Runonce.exe /AlternateShellStartup  
LOLBAS Runonce.yml - Path: C:\Windows\System32\runonce.exe  
LOLBAS Runonce.yml - Path: C:\Windows\SysWOW64\runonce.exe  

MIT License. Copyright (c) 2020-2021 Strontic.