wusa.exe

  • File Path: C:\Windows\SysWOW64\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 6B5F21E4B1FA9B4BF6AD402A9EA52887
SHA1 F3DD5FBACEA87E49DAA77F82DAABE1F02A4471A7
SHA256 CCDA2C9E74E594DBE18E1EB0299986F3DE9DAB807D6890F812BE5A103C2B90EE
SHA384 553EEEB81D3A1BD4F2C70E9FC37405BBFCC817069692E0573ADF98C2D2847F822F74D6224D23B0DBCEA7BCF76D9345FB
SHA512 8F9E08FFA5D63939A2AA377CB062D1CA949557326114F5985DFD548208EE3B98B8E2B5F0DF025166AE20612F97017246F965719D2C3A9F4AEEA7A83522E457C0
SSDEEP 6144:Tcd8nRccM8ucypbQFkDsyc9JpxyN90vE:TO8nRcoul12kIyKRy90
IMP EB675CBEE4B3427FF1A53EA0846D6406
PESHA1 E714A23C776DE8B8AD14B89D9E359FCBDE96BEF7
PE256 D87A2DB63FFCB607EB43D8F11BDD10F3ED625268FE03594825BEB079041C965A

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_a8625c1886757984 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1151 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1151
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/ccda2c9e74e594dbe18e1eb0299986f3de9dab807d6890f812be5a103c2b90ee/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 44
C:\WINDOWS\system32\wusa.exe 47
C:\windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 41
C:\Windows\system32\wusa.exe 35
C:\Windows\SysWOW64\wusa.exe 55
C:\Windows\SysWOW64\wusa.exe 57
C:\WINDOWS\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 75
C:\WINDOWS\SysWOW64\wusa.exe 49
C:\windows\SysWOW64\wusa.exe 50

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.