w3wp.exe

  • File Path: C:\windows\SysWOW64\inetsrv\w3wp.exe
  • Description: IIS Worker Process

Hashes

Type Hash
MD5 18F2A1DF70B5FA7F547D391D73B1DDB5
SHA1 DF775D31C3ABBDA6BF9FD6AD35610D179CD6357B
SHA256 BBECEB8DBEB159152B1D1B63AA4A23BB97A93EE7E63271213C181D3064F2DDF3
SHA384 F00DB7AB22FD187DFF74A10BA8AD20E9A62DB73AE4D804DC78EF6224A0671A9EE9214D65A70BB4387B956D11988DF3BA
SHA512 005797943BC340E5ED4CA0BB7D18EDE1A42706A6511E2E4B75AEE9944CD16353AC86A36265492D8462F8C083CF4A8E485A578E6124C44A8BBE6480072D3DD966
SSDEEP 384:aaI3JPdnZePRLWX5GpSMJGjG4kvvWSubaIXe:RAJPxZePRHSPjRkvFme

Signature

  • Status: The file C:\windows\SysWOW64\inetsrv\w3wp.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: w3wp.exe.mui
  • Product Name: Internet Information Services
  • Company Name: Microsoft Corporation
  • File Version: 8.5.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 8.5.9600.16384
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of w3wp.exe being misused. While w3wp.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\w3wp.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\w3wp.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\w3wp.exe' DRL 1.0
signature-base apt_hafnium.yar $s1 = “AppPath=c:\windows\system32\inetsrv\w3wp.exe” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.