WerFault.exe

  • File Path: C:\WINDOWS\SysWOW64\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 C8149B519DFFA6901E8D661028752A20
SHA1 F18551399F673A913BC21C4947A3C5344223473F
SHA256 256D9C8F4C86723BAB2C1AFB29DCC6AFF5CD302894E7B207F9C869DEE08F0268
SHA384 20688608E86CDCC23640DC843E43FAB9785B68E5CE2715D709C8A0A06EC0065FA50DEEB75FD49338F0D0B89EAC45C411
SHA512 A8284A0E4AD535DA9A5E47E1101616C51E819549B7C6DC0740C97B224D9A52CD8E7A6BF642C7510B28471FA8183423A8A309393D0B354A5DDB54673D7ED16846
SSDEEP 12288:5JRoPKTJ/P5tkxvp5r821Jf7b2aQ+5O2jgB7zVTFgc2HywwCy:dZPXkxvp5r8211nd7O2jgB7zVTFgcyhG
IMP 5DCAA6E384A014435BAF9CDF9286FEBC
PESHA1 2224271C9F0F14AD7388E404B47E4B8AE69407B6
PE256 0342D196DBBD404E3B25861EF352F1BCC4485B44466A9F2DB1CE2195A49F05E9

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\WerFault.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.282 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.282
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/256d9c8f4c86723bab2c1afb29dcc6aff5cd302894e7b207f9c869dee08f0268/detection

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0
sigma sysmon_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.