WerFault.exe

  • File Path: C:\Windows\system32\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 D6DA73EF6271A7C2B5DD7CE94393470C
SHA1 B468FC0EB9977F2F2DC9B6C2A0B10A1969A0C29E
SHA256 3B4CEFD893A605D8CC768A09AB0F34BBB02D21495EB088F582095D985944F247
SHA384 DA8B3A74D45B39C6A5FA473868BD19645CAB9F0D8EC766B813D7EF1E800B4C1E4B9179950DA823605BDEFBDDCD91547F
SHA512 DB8FF115A232D56DCDE8D584699DBE2FFE8D18F43CFD7683152F63B97E6C560542578F971C0F8B5EF98281DE58ED581779CF5F74B66FB79452FE85E2F40A41C0
SSDEEP 6144:MUSFI3/9XHlM6PamS1XFhPpDB1/VliLomj10uyHOE71+qiOBnUGVJyB60OHyLC7b:UIdK6+1XFTDbVUom50DiOBnUGc2Hywb
IMP 58646A08EC3B9CF4BF7D3A86852FFDC4
PESHA1 7C0C955D020098427237C9587B8D2223664D1421
PE256 DB33652A5DBE1F9F29DF71FA3047E6A3CA8346F668B93E5FDB8A113EFE5BDF3C

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\bcrypt.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPTSP.dll
C:\Windows\system32\dbghelp.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\SYSTEM32\ntmarta.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\system32\wer.dll
C:\Windows\system32\WerFault.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/3b4cefd893a605d8cc768a09ab0f34bbb02d21495eb088f582095d985944f247/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 35
C:\windows\system32\WerFault.exe 36
C:\Windows\system32\WerFault.exe 30
C:\Windows\system32\WerFault.exe 38
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 33
C:\WINDOWS\system32\WerFaultSecure.exe 38
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 35
C:\Windows\system32\WerFaultSecure.exe 32
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\WerFaultSecure.exe 36
C:\WINDOWS\system32\WerFaultSecure.exe 33
C:\Windows\system32\WerFaultSecure.exe 36
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 40
C:\WINDOWS\system32\wermgr.exe 41
C:\WINDOWS\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 35
C:\Windows\system32\wermgr.exe 36
C:\Windows\system32\wermgr.exe 38
C:\Windows\system32\wermgr.exe 36
C:\windows\system32\wermgr.exe 35
C:\Windows\system32\werui.dll 38
C:\Windows\SysWOW64\WerFault.exe 35
C:\windows\SysWOW64\WerFault.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 38
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 35
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 36
C:\Windows\SysWOW64\WerFaultSecure.exe 35
C:\Windows\SysWOW64\wermgr.exe 35
C:\windows\SysWOW64\wermgr.exe 35
C:\Windows\SysWOW64\wermgr.exe 36
C:\WINDOWS\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 40
C:\WINDOWS\SysWOW64\wermgr.exe 33
C:\Windows\SysWOW64\wermgr.exe 38
C:\Windows\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\wermgr.exe 36
C:\Windows\SysWOW64\werui.dll 38

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.