wusa.exe

  • File Path: C:\WINDOWS\system32\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 297CE1CB7C6CE8EF6F5655EC78E4C667
SHA1 986422155A1509A0EE0DFE8098623F1158AD69C5
SHA256 50AF95B82A9FC4F25B5443B2582BC76EF8FDD64792BB8DA9B64EC7312DA37452
SHA384 309AD376A37931F8D7A41238623AF54D1FD6FEFBF17E77321EAD8D5C6AB1E9255EE0F01EC21E9D7CBE04A6B196353D92
SHA512 2E436801F2F64E816B0F4B80DBE60D350C1D48956D059E55A25C8D1D66311CBD6B59ED1DEEEC2524C6DEDB7EFC97CECA5E061F70BE06FA7E4872CFA8079519CB
SSDEEP 3072:6Qv0HeAjBjvYsp7pWjbLr7I+u1Mp3cKAArDZz4N9GhbkUNEks:6y0Hf9jvYs5pWjb3EKpxyN90vEv
IMP 197D61C8CA617AA68042CB70543EFE68
PESHA1 C020527476A5702425AC271CB5527CF0B444B356
PE256 297B0A2A4ABE28695D8E26BE9FB9B420EBD642BDE838CF9E0F42CB37B876E23A

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e\comctl32.dll.mui File
(RW-) C:\Windows\System32 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_6b887e04d8b70b4e File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_9d947278b86cc467 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\System32\ADVAPI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/50af95b82a9fc4f25b5443b2582bc76ef8fdd64792bb8da9b64ec7312da37452/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wextract.exe 54
C:\windows\system32\wextract.exe 54
C:\Windows\system32\wextract.exe 52
C:\Windows\system32\wextract.exe 55
C:\WINDOWS\system32\wextract.exe 54
C:\Windows\system32\wextract.exe 55
C:\Windows\system32\wusa.exe 46
C:\WINDOWS\system32\wusa.exe 38
C:\windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 36
C:\WINDOWS\SysWOW64\wextract.exe 57
C:\WINDOWS\SysWOW64\wextract.exe 55
C:\Windows\SysWOW64\wextract.exe 57
C:\Windows\SysWOW64\wextract.exe 55
C:\windows\SysWOW64\wextract.exe 55
C:\Windows\SysWOW64\wextract.exe 58
C:\Windows\SysWOW64\wusa.exe 40
C:\Windows\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 38
C:\WINDOWS\SysWOW64\wusa.exe 61
C:\Windows\SysWOW64\wusa.exe 41
C:\WINDOWS\SysWOW64\wusa.exe 33
C:\windows\SysWOW64\wusa.exe 38

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.