WerFault.exe

  • File Path: C:\windows\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 5D51C4B5991B8C112E61537B1391E060
SHA1 96DA67ED07BAC8054EB205B4135E9B0358534D8B
SHA256 B9C76EC4BF6D6FE3F6F65E8F8FD0D344D3DA310F903141ED24533AA36710E84B
SHA384 DD867F2EA05BCC77C9A82D69063E14874D20BDAFEF87B7C67B2ED88512E99A0200BE7FE87D9EAFB2EA87A5C3E1BE040B
SHA512 8FE2D5584486A5039EB7699719EB6EAC2FB92AF309AEB829130872546B471093679EC6287DE40496EFA1F70AD2C09561FB486B4CE54705594513607708E2C8A5
SSDEEP 6144:/AA1R0mzqb9PVi9nYdFSPvjY/tKg4hlEvaRUNTDFa4s5OKnVJyB60OHyLC7vT:/smzqbknQmvE/t74hlfIDQf5Omc2Hywb

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 40
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 38
C:\WINDOWS\system32\WerFaultSecure.exe 44
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 44
C:\WINDOWS\system32\WerFaultSecure.exe 35
C:\Windows\system32\WerFaultSecure.exe 40
C:\Windows\system32\wermgr.exe 40
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 38
C:\WINDOWS\system32\wermgr.exe 36
C:\WINDOWS\system32\wermgr.exe 41
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 43
C:\windows\system32\wermgr.exe 41
C:\Windows\system32\werui.dll 41
C:\Windows\SysWOW64\WerFault.exe 36
C:\windows\SysWOW64\WerFault.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 33
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 36
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\wermgr.exe 38
C:\windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 33
C:\WINDOWS\SysWOW64\wermgr.exe 41
C:\Windows\SysWOW64\wermgr.exe 38
C:\WINDOWS\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\werui.dll 35

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.