WerFault.exe

  • File Path: C:\Windows\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 B843354FF4C728A87A5A061E0974FD78
SHA1 F1158A8418EDDAA55B7CB6A809E7A3C440D9C267
SHA256 26F9D0295B00AE31C5FB42F727E394D6377BC433118D8E405D932B4C51476ABF
SHA384 5C7F527FD7F94A0E8E8A5413D3C359BB6A3F1AADC5D69CD33BB730EA329FFB85618E9042518B38297BF2B14DED0D63CD
SHA512 FDB3AB2CC9835C6AE06ADB815291B7220D68AFF97352509E5C463176557B34DBEFD7AE4D2170F3A7F403F45E9DCAACE1140FEC58D59D78F4DEAB773CE6BC4364
SSDEEP 6144:irQgRATtuSfoENXz0oF87o/AGgxVMfh3UeHX/ucL6qPS8Rg+6F5ZVJyB60OHyLCG:LrhX4/74AGggj/3pSegDF5Hc2Hywy

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 38
C:\windows\system32\WerFault.exe 33
C:\WINDOWS\system32\WerFault.exe 35
C:\Windows\system32\WerFault.exe 30
C:\Windows\system32\WerFault.exe 32
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 33
C:\WINDOWS\system32\WerFaultSecure.exe 35
C:\Windows\system32\WerFaultSecure.exe 41
C:\Windows\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 33
C:\Windows\system32\WerFaultSecure.exe 36
C:\WINDOWS\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 38
C:\Windows\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 33
C:\WINDOWS\system32\wermgr.exe 35
C:\WINDOWS\system32\wermgr.exe 32
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 35
C:\windows\system32\wermgr.exe 33
C:\Windows\system32\werui.dll 33
C:\Windows\SysWOW64\WerFault.exe 33
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 35
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\wermgr.exe 35
C:\windows\SysWOW64\wermgr.exe 30
C:\Windows\SysWOW64\wermgr.exe 33
C:\WINDOWS\SysWOW64\wermgr.exe 32
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 30
C:\Windows\SysWOW64\wermgr.exe 33
C:\Windows\SysWOW64\werui.dll 35

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.