WerFault.exe

  • File Path: C:\Windows\SysWOW64\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 78E2621A3ED108179AE91557C1F21DDA
SHA1 404270D013E237FE8FAB2753CC09FA2F778414EB
SHA256 4BC022BB58B3AF9F724410E32B56BC61479226A1D0DF1065EEC6FA4909C33F4F
SHA384 106A722728C23F036C856074CC8205DDE74EBDAE26BADAA7FF5760C7BF6A931A209E39BEFF1B3EE14E36C65B1AA6F727
SHA512 DC9504F60CFB16A154C8AD357A6C29646294CF658569EF56BA92B220489C7ACA91101E1630817F941CF14C6261A832E6E204D2678E48D6636855157481F0D9F9
SSDEEP 6144:Yeo6g5XV78CqRujwNY9MVJyB60OHyLC7vdw:1g/gCqRBN5c2Hywy

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 41
C:\windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 33
C:\Windows\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 40
C:\Windows\system32\WerFaultSecure.exe 54
C:\Windows\system32\WerFaultSecure.exe 44
C:\WINDOWS\system32\WerFaultSecure.exe 52
C:\Windows\system32\WerFaultSecure.exe 49
C:\Windows\system32\WerFaultSecure.exe 46
C:\Windows\system32\WerFaultSecure.exe 54
C:\Windows\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 47
C:\WINDOWS\system32\WerFaultSecure.exe 50
C:\Windows\system32\WerFaultSecure.exe 47
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 50
C:\WINDOWS\system32\wermgr.exe 46
C:\WINDOWS\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 46
C:\Windows\system32\wermgr.exe 50
C:\Windows\system32\wermgr.exe 44
C:\Windows\system32\wermgr.exe 50
C:\windows\system32\wermgr.exe 54
C:\Windows\system32\werui.dll 44
C:\windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 54
C:\Windows\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 47
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 40
C:\Windows\SysWOW64\WerFaultSecure.exe 43
C:\Windows\SysWOW64\WerFaultSecure.exe 49
C:\Windows\SysWOW64\WerFaultSecure.exe 46
C:\Windows\SysWOW64\WerFaultSecure.exe 55
C:\Windows\SysWOW64\wermgr.exe 55
C:\windows\SysWOW64\wermgr.exe 55
C:\Windows\SysWOW64\wermgr.exe 44
C:\WINDOWS\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 43
C:\WINDOWS\SysWOW64\wermgr.exe 50
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\wermgr.exe 44
C:\Windows\SysWOW64\werui.dll 46

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.