WerFault.exe

  • File Path: C:\WINDOWS\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 A823820012C1CE37549D1EA3DEFBFBB8
SHA1 D4AE985C2CB926D0BB4D6A828C18CAA3DE070BE3
SHA256 6BC28220FDD5B33A92C3AC2D60B298F3F4BF6BBCFF11827254EB51CD813E1C6A
SHA384 47082957EA724BA4CC8C92475A12FCED2B770180E562161B7015F7FDD17AE666BD40CB2E228FBFDF43D2FC4448563BCE
SHA512 E8FC8258DF82B616C431FD855D8191B4B04B8BE7C11B260B4CCB6B477F87BCBA5B9197135F234B1F91ECE95A3130EEFD9F7DA3500C54840AF5E683DF0EF02865
SSDEEP 12288:lLRa46GFN1peg8RLJqKgc4Ms1iUWzWbF/xc2Hyw1d:R04DedRLJ0WzWbF5cyh1d
IMP 4A5F40DDEEC83465C6DE39AA63BF2F73
PESHA1 E6BAC92C4A5E88527D481D093100911FC09AA428
PE256 962E52F47383B546917F8086AA7CD3581BBEF4DC5D00C0862272E1055420F8F2

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcrt.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\WerFault.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/6bc28220fdd5b33a92c3ac2d60b298f3f4bf6bbcff11827254eb51cd813e1c6a/detection

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.