w3wp.exe

  • File Path: C:\windows\system32\inetsrv\w3wp.exe
  • Description: IIS Worker Process

Hashes

Type Hash
MD5 53D274E63A0A3A2AC19D5684648CB49E
SHA1 8502B1E8149C813392D9B96913807D8613A58164
SHA256 6CD7CC4B72DB91F168C36C500C1BE9AE391C1FF09CD65295BB24267D35373FD9
SHA384 581727BA413150B6DAC749A9DDE67E88D4114D18C2DAA4590C38E2DCB218B8243E3E2252A4F419055328106404717A42
SHA512 24F9D574C8339257921101C9CB9B3DE339C8D0473537287E5B2C1360E9685581A80CF2F54D7AB4B7C3C456B81AAB6D07D6222BAF99ED06D07C097FEBFB11D253
SSDEEP 384:RYXZfMN6MwM4h+AdBmkTSk+ArjTRJpdfcMbXsecdA4vWSuba:RAZfMN6lM48KMMSHU3P0wJ6rF

Signature

  • Status: The file C:\windows\system32\inetsrv\w3wp.exe is not digitally signed. You cannot run this script on the current system. For more information about running scripts and setting execution policy, see about_Execution_Policies at http://go.microsoft.com/fwlink/?LinkID=135170
  • Serial: ``
  • Thumbprint: ``
  • Issuer:
  • Subject:

File Metadata

  • Original Filename: w3wp.exe.mui
  • Product Name: Internet Information Services
  • Company Name: Microsoft Corporation
  • File Version: 8.5.9600.16384 (winblue_rtm.130821-1623)
  • Product Version: 8.5.9600.16384
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of w3wp.exe being misused. While w3wp.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma godmode_sigma_rule.yml - '\w3wp.exe' DRL 1.0
sigma sysmon_suspicious_remote_thread.yml - '\w3wp.exe' DRL 1.0
sigma pipe_created_alternate_powershell_hosts_pipe.yml - 'c:\windows\system32\inetsrv\w3wp.exe' # this is sad :,( but it triggers FPs on Exchange servers DRL 1.0
sigma proc_creation_win_susp_csc_folder.yml - '\w3wp.exe' # https://twitter.com/gabriele_pippi/status/1206907900268072962 DRL 1.0
sigma proc_creation_win_susp_powershell_parent_process.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_recon_detection.yml - '\w3wp.exe' DRL 1.0
sigma proc_creation_win_webshell_spawn.yml - '\w3wp.exe' DRL 1.0
signature-base apt_hafnium.yar $s1 = “AppPath=c:\windows\system32\inetsrv\w3wp.exe” wide fullword CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.