wuauclt.exe

  • File Path: C:\WINDOWS\system32\wuauclt.exe
  • Description: Windows Update

Hashes

Type Hash
MD5 21C2707934468C59547EF50F8C778BFC
SHA1 39A218984845B6765CCA31A7B1CB0432747C1C2C
SHA256 EA1D3F4AE01EA1BF8E3B3839958AFDC9531110C982F30AB6FAC945BD79DD93AD
SHA384 60B3E76BA2B3936B8F9C34DE2DB6F64D7624CAE26846D7B34435CF68021D7DEDBECF3CFA9170753ECA48A29ACAC0386C
SHA512 A935B1C6680D9C7668033BECE63DAE5A236FDC1426AC0CD80A074C5224FE18A7FBC353D93B32F65F15EC3BF5857B20BBF198D237DD9F5E90E2BB172788B6AD15
SSDEEP 1536:bAslvBJbziv/KK+96SPZ8pCTBySCmV2xzV7udJ/Xsr7ryPrx:bAmv/bzc/7hpKyvmYNKBXsr7ryDx
IMP C94718917E202E50F7A1BC3B100DCA71
PESHA1 B03051F0D736312DCA22A6611D23CDA2AB0DD1A5
PE256 0C8931ECB70B4B4EBF62D40D0B9FF0451CB9F9CE5FEB6D27382D1CD29947B4FC

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\combase.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\ucrtbase.dll
C:\WINDOWS\system32\wuauclt.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wuauclt.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.194 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.194
  • Language: Language Neutral
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/ea1d3f4ae01ea1bf8e3b3839958afdc9531110c982f30ab6fac945bd79dd93ad/detection

Possible Misuse

The following table contains possible examples of wuauclt.exe being misused. While wuauclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma net_connection_win_wuauclt_network_connection.yml title: Wuauclt Network Connection DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code and making a network connections. One could easily make the DLL spawn a new process and inject to it to proxy the network connection and bypass this rule. DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml Image\|contains: wuauclt DRL 1.0
sigma net_connection_win_wuauclt_network_connection.yml - Legitimate use of wuauclt.exe over the network. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml title: Monitoring Wuauclt.exe For Lolbas Execution Of DLL DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml description: Adversaries can abuse wuauclt.exe (Windows Update client) to run code execution by specifying an arbitrary DLL. DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_lolbas_execution_of_wuauclt.yml CommandLine\|re: '(?i)wuauclt\.exe.*\/UpdateDeploymentProvider.*\/Runhandlercomserver' DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml title: Proxy Execution via Wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml description: Detects the use of the Windows Update Client binary (wuauclt.exe) to proxy execute code. DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - Image\|contains: wuauclt DRL 1.0
sigma proc_creation_win_proxy_execution_wuauclt.yml - OriginalFileName: wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_spoolsv_child_processes.yml - \wuauclt.exe DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml description: Detects code execution via the Windows Update client (wuauclt) DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - https://dtm.uk/wuauclt/ DRL 1.0
sigma proc_creation_win_susp_wuauclt.yml - '\wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml description: Detects suspicious Windows Update Agent activity in which a wuauclt.exe process command line doesn't contain any command line flags DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml Image\|endswith: '\Wuauclt.exe' DRL 1.0
sigma proc_creation_win_susp_wuauclt_cmdline.yml CommandLine\|endswith: '\Wuauclt.exe' DRL 1.0
sigma registry_event_persistence_search_order.yml - C:\WINDOWS\system32\wuauclt.exe DRL 1.0
LOLBAS Wuauclt.yml Name: wuauclt.exe  
LOLBAS Wuauclt.yml - Command: wuauclt.exe /UpdateDeploymentProvider Full_Path_To_DLL /RunHandlerComServer  
LOLBAS Wuauclt.yml - Path: C:\Windows\System32\wuauclt.exe  
LOLBAS Wuauclt.yml - IOC: wuauclt run with a parameter of a DLL path  
LOLBAS Wuauclt.yml - IOC: Suspicious wuauclt Internet/network connections  
LOLBAS Wuauclt.yml - Link: https://dtm.uk/wuauclt/  
signature-base apt_putterpanda.yar $x0 = “WUAUCLT.EXE” fullword wide /* PEStudio Blacklist: strings / / score: ‘20.01’ */ CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.