WerFault.exe

  • File Path: C:\windows\SysWOW64\WerFault.exe
  • Description: Windows Problem Reporting

Hashes

Type Hash
MD5 FF88EC2E38C3CDDA92ED566272477098
SHA1 AD2B22FB5C939C6E9241E9F909EF7E3A9F7337E2
SHA256 5C7F45A1A9609496F669A821C0FE52260D2530342820B618EEC8B75A5ACD5EBC
SHA384 37CD2B762A291C00F911E855DDA57207781A50FA791C856765C509D303CF0D25753A79C9B60AFAB40B881DDD32B73313
SHA512 80DAB17C11126C36142AB4DB04B199362E7DF78CA7EFEBC7D31CCECF4536126D19E5829880EE358388D6D597E8746D329286DD84CBB99B9DE3A0743556952569
SSDEEP 6144:CXyFEkYmE1H7B9TkmakxK420yAzR/NPfoCKSzlcVEvUUOPXKRJH5MouVJyB60OHw:CEjEV7B94maaQCsUOPE5Mzc2HywZ

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WerFault.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 6.3.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 6.3.9600.16384
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\Faultrep.dll 30
C:\windows\system32\WerFault.exe 32
C:\Windows\system32\WerFault.exe 27
C:\Windows\system32\WerFault.exe 27
C:\Windows\system32\WerFault.exe 27
C:\Windows\system32\WerFaultSecure.exe 24
C:\Windows\system32\WerFaultSecure.exe 29
C:\WINDOWS\system32\WerFaultSecure.exe 25
C:\Windows\system32\WerFaultSecure.exe 29
C:\Windows\system32\WerFaultSecure.exe 30
C:\Windows\system32\WerFaultSecure.exe 24
C:\Windows\system32\WerFaultSecure.exe 24
C:\Windows\system32\WerFaultSecure.exe 29
C:\WINDOWS\system32\WerFaultSecure.exe 24
C:\Windows\system32\WerFaultSecure.exe 29
C:\Windows\system32\wermgr.exe 29
C:\Windows\system32\wermgr.exe 27
C:\Windows\system32\wermgr.exe 29
C:\WINDOWS\system32\wermgr.exe 29
C:\WINDOWS\system32\wermgr.exe 33
C:\Windows\system32\wermgr.exe 30
C:\Windows\system32\wermgr.exe 27
C:\Windows\system32\wermgr.exe 30
C:\Windows\system32\wermgr.exe 29
C:\Windows\system32\wermgr.exe 32
C:\Windows\system32\wermgr.exe 30
C:\windows\system32\wermgr.exe 27
C:\Windows\system32\werui.dll 30
C:\Windows\SysWOW64\WerFault.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 29
C:\Windows\SysWOW64\WerFaultSecure.exe 25
C:\Windows\SysWOW64\WerFaultSecure.exe 32
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 27
C:\WINDOWS\SysWOW64\WerFaultSecure.exe 32
C:\Windows\SysWOW64\WerFaultSecure.exe 25
C:\Windows\SysWOW64\WerFaultSecure.exe 27
C:\Windows\SysWOW64\WerFaultSecure.exe 30
C:\Windows\SysWOW64\WerFaultSecure.exe 27
C:\Windows\SysWOW64\wermgr.exe 29
C:\windows\SysWOW64\wermgr.exe 24
C:\Windows\SysWOW64\wermgr.exe 33
C:\WINDOWS\SysWOW64\wermgr.exe 32
C:\Windows\SysWOW64\wermgr.exe 27
C:\WINDOWS\SysWOW64\wermgr.exe 30
C:\Windows\SysWOW64\wermgr.exe 27
C:\Windows\SysWOW64\wermgr.exe 30
C:\Windows\SysWOW64\wermgr.exe 30
C:\Windows\SysWOW64\werui.dll 33

Possible Misuse

The following table contains possible examples of WerFault.exe being misused. While WerFault.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml description: 'Detects attackers using tooling with bad opsec defaults e.g. spawning a sacrificial process to inject a capability into the process without taking into account how the process is normally run, one trivial example of this is using rundll32.exe without arguments as a sacrificial process (default in CS, now highlighted by c2lint), running WerFault without arguments (Kraken - credit am0nsec), and other examples.' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml Image\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_bad_opsec_sacrificial_processes.yml CommandLine\|endswith: '\WerFault.exe' DRL 1.0
sigma proc_creation_win_cve_2021_26857_msexchange.yml - 'WerFault.exe' DRL 1.0
sigma proc_creation_win_exploit_cve_2020_1350.yml - '\System32\werfault.exe' DRL 1.0
sigma proc_creation_win_lsass_dump.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_uac_bypass_consent_comctl32.yml Image\|endswith: '\werfault.exe' DRL 1.0
sigma proc_creation_win_wmiprvse_spawning_process.yml - '\WerFault.exe' DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml title: Suspicious Werfault.exe Network Connection Outbound DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml description: Adversaries can migrate cobalt strike/metasploit/C2 beacons on compromised systems to legitimate werfault.exe process to avoid detection. DRL 1.0
sigma win_suspicious_werfault_connection_outbound.yml Image: 'werfault.exe' DRL 1.0

MIT License. Copyright (c) 2020-2021 Strontic.