wusa.exe

  • File Path: C:\Windows\SysWOW64\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 18DE1F2C1BC5B1AFE3A66DD973C69411
SHA1 B1C4ADDBC339F1B5FD6347053835A129287BC731
SHA256 4B99324C4F640176227929722C40E383C3AE5D66A99763CDA908DCE7773525FA
SHA384 82A69C305CDBBAC1062D905C9A0202B642476C4E12DD43772FA747B9812F4105246A99E93727793866DE0F6CDA239EA5
SHA512 31BD607E7A82305FEBABD74030220EE6EDFCC8B8FAA2985A8FA138178D8DEAE050DFAADF69BA77202E8225009B19B69B32D12C325071CC2945F9F6610D329A03
SSDEEP 3072:CcDENnKKphw6s4RTQcWl4agXpDTa3IZJvks/dTDbnDrH+yBUMp3cKAArDZz4N9GJ:CcD8nRccMNgfJvJBDbnDD+QpxyN90vE

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.0 (rs1_release.160715-1616)
  • Product Version: 10.0.14393.0
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wextract.exe 33
C:\windows\system32\wextract.exe 35
C:\Windows\system32\wextract.exe 33
C:\Windows\system32\wextract.exe 36
C:\WINDOWS\system32\wextract.exe 32
C:\Windows\system32\wextract.exe 33
C:\WINDOWS\system32\wusa.exe 40
C:\Windows\system32\wusa.exe 43
C:\WINDOWS\system32\wusa.exe 35
C:\windows\system32\wusa.exe 40
C:\Windows\system32\wusa.exe 36
C:\Windows\system32\wusa.exe 36
C:\Windows\system32\wusa.exe 41
C:\Windows\SysWOW64\ocsetapi.dll 41
C:\windows\SysWOW64\PkgMgr.exe 46
C:\Windows\SysWOW64\PkgMgr.exe 43
C:\Windows\SysWOW64\PkgMgr.exe 40
C:\Windows\SysWOW64\PkgMgr.exe 41
C:\WINDOWS\SysWOW64\PkgMgr.exe 38
C:\WINDOWS\SysWOW64\PkgMgr.exe 46
C:\WINDOWS\SysWOW64\wextract.exe 33
C:\WINDOWS\SysWOW64\wextract.exe 35
C:\Windows\SysWOW64\wextract.exe 32
C:\Windows\SysWOW64\wextract.exe 38
C:\windows\SysWOW64\wextract.exe 38
C:\Windows\SysWOW64\wextract.exe 32
C:\Windows\SysWOW64\wusa.exe 55
C:\Windows\SysWOW64\wusa.exe 50
C:\WINDOWS\SysWOW64\wusa.exe 40
C:\Windows\SysWOW64\wusa.exe 54
C:\WINDOWS\SysWOW64\wusa.exe 52
C:\windows\SysWOW64\wusa.exe 52

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.