WerFault.exe

  • File Path: C:\Windows\SysWOW64\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 483713AB410E47556A6FAF7634336D94
SHA1 992B106EE78D55FFC4BF3E284A7D5D0F978569FE
SHA256 F79420BE1161A86FC1CAA09D062C5C835929913B48F10EECCC8179DEA9A318DC
SHA384 68270ABA895AF6A1CA0C682DC83ABCD3CAEC98FAABC3F818A041AF97749C4C4601D0C03FD82B61C0AFD37490D3C0AB14
SHA512 0C8117B69CDA594E3ACB4626863462ECE70D040D5B8A0338B33E8560702725D3E0DB2EB08188386E2CAA7A837F5F22086DAAFC6CF2DECF5FFFF4D10C17C0CCB2
SSDEEP 12288:Y1RCjjD0LCLuys9oczNZcbEjoUqhFEHc2Hywnbu:YRC/4LCLuysXpGwoUqhFEHcyhnS
IMP 1CB1148A98B718C6F3EEF715F4EBCFDD
PESHA1 78C3C02B96B6CEC18403D1E2DDA891C1A4EACC0A
PE256 CDC3CE50652FE4E1BAC5B63A8BDACCDF8E5BEEC387A2D95B6171E988189EA685

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\WerFault.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.388 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.388
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/68
  • VirusTotal Link: https://www.virustotal.com/gui/file/f79420be1161a86fc1caa09d062c5c835929913b48f10eeccc8179dea9a318dc/detection/

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.