wusa.exe

  • File Path: C:\Windows\system32\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 59701FE9C8BA85BCEB73A9B1B3E8E1C4
SHA1 41C0812B0BE63153F3B68EA76C8B985D69DDCFBB
SHA256 E0438C5594A4EEB8515518989EE3A773581F414273B857B885D2201F66A95B06
SHA384 8CF139BA0B9ADF180448ED29660BCE78D19D6BB8FE55CF52104CD5C83B1FB8FC3D9FE61364A3C80D39D765B13E55CC39
SHA512 197279F4F762D2746E5D67FEC5B94CD569647B9BEB79B0A6069C20A1D4C2DD36808F8B546CD8F0E7E515D744F05654D9D704C3FBD8ECA951F6B4A8E16BAB8C8A
SSDEEP 3072:SjomFcaF4iHSd5bqcoENXK6JRAqs4xjw8m1IRpR9/BRMp3cKAArDZz4N9GhbkUNJ:Sj9FjuiebqcoMHxM8cg9wpxyN90vE
IMP D5E97853B4CD1F8376A7D9FDA250C21E
PESHA1 A9F059D328FE2356577499E1448DAB78EC29ACBE
PE256 D82C40386D1ACC422D41BA0F041D08C4AF97F74CF4177A2DC648E8A7568938F4

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_f47974b57ff45754 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\SYSTEM32\atlthunk.dll
C:\Windows\System32\bcryptPrimitives.dll
C:\Windows\System32\cfgmgr32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\cryptsp.dll
C:\Windows\system32\dpx.dll
C:\Windows\system32\DUser.dll
C:\Windows\system32\dwmapi.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\kernel.appcore.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\MSASN1.dll
C:\Windows\System32\MSCTF.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\powrprof.dll
C:\Windows\System32\profapi.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\shcore.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\shlwapi.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\uxtheme.dll
C:\Windows\System32\win32u.dll
C:\Windows\System32\windows.storage.dll
C:\Windows\system32\WindowsCodecs.dll
C:\Windows\system32\WTSAPI32.dll
C:\Windows\system32\wusa.exe
C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_de6e2bd0534e2567\COMCTL32.dll

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/e0438c5594a4eeb8515518989ee3a773581f414273b857b885d2201f66a95b06/detection/

File Similarity (ssdeep match)

File Score
C:\Windows\system32\ocsetapi.dll 44
C:\WINDOWS\system32\PkgMgr.exe 43
C:\windows\system32\PkgMgr.exe 36
C:\WINDOWS\system32\PkgMgr.exe 35
C:\Windows\system32\PkgMgr.exe 43
C:\Windows\system32\PkgMgr.exe 43
C:\WINDOWS\system32\wextract.exe 44
C:\windows\system32\wextract.exe 43
C:\Windows\system32\wextract.exe 43
C:\Windows\system32\wextract.exe 44
C:\WINDOWS\system32\wextract.exe 43
C:\Windows\system32\wextract.exe 41
C:\WINDOWS\system32\wusa.exe 46
C:\WINDOWS\system32\wusa.exe 58
C:\windows\system32\wusa.exe 50
C:\Windows\system32\wusa.exe 44
C:\Windows\system32\wusa.exe 49
C:\Windows\system32\wusa.exe 47
C:\WINDOWS\SysWOW64\wextract.exe 43
C:\WINDOWS\SysWOW64\wextract.exe 40
C:\Windows\SysWOW64\wextract.exe 44
C:\Windows\SysWOW64\wextract.exe 40
C:\windows\SysWOW64\wextract.exe 47
C:\Windows\SysWOW64\wextract.exe 40
C:\Windows\SysWOW64\wusa.exe 43
C:\Windows\SysWOW64\wusa.exe 44
C:\Windows\SysWOW64\wusa.exe 46
C:\WINDOWS\SysWOW64\wusa.exe 47
C:\Windows\SysWOW64\wusa.exe 40
C:\WINDOWS\SysWOW64\wusa.exe 38
C:\windows\SysWOW64\wusa.exe 41

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.