wusa.exe

  • File Path: C:\Windows\SysWOW64\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 6C81724C47077509C4CC874E34008FC3
SHA1 8927B37C0265394724D979D84EE1AA6E4F7D7E5A
SHA256 9A18550136D91FD0AF3D8D3E202A5A348DDEE9639498F2B5FC9630E83406D7E1
SHA384 D4BF20B3D3E3C3CB91DB85BEB54DF0F2AD2C4D0EE62F42CC949FA137E064244DF25F73C64B6515360AA778C5290C53C6
SHA512 7FC8E6A95BA3438F05A75DDA51BC125E2724A844EC91626360AC95585BAE7938A6E4A5D405A4C4B2B73B002F22DD310E2CD61D4F756EC09D0E2027CD2933B0E7
SSDEEP 6144:Kco8nRccME78lLeMeCWN8p09spxyN90vE:Kv8nRcAYdveCyMy90
IMP 43545885005F51C762261EDCD235042B
PESHA1 F723B6135D6E62967BB6018D6F3AC0A274A9B79F
PE256 CA417504B971C5BDAA4BAFB414C8D6ADDD1BB44A8F0C508D487418C9ADEB2BE1

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\imageres.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.17763.1518_en-us_3c26ab8c9470805a File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.17763.1518_none_261b62a767ca4e6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme2131664586 Section
\Windows\Theme966197582 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 33000001C422B2F79B793DACB20000000001C4
  • Thumbprint: AE9C1AE54763822EEC42474983D8B635116C8452
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/9a18550136d91fd0af3d8d3e202a5a348ddee9639498f2b5fc9630e83406d7e1/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 46
C:\WINDOWS\system32\wusa.exe 46
C:\windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 35
C:\Windows\system32\wusa.exe 40
C:\Windows\SysWOW64\wusa.exe 50
C:\Windows\SysWOW64\wusa.exe 57
C:\WINDOWS\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 55
C:\WINDOWS\SysWOW64\wusa.exe 54
C:\windows\SysWOW64\wusa.exe 50

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.