wusa.exe

  • File Path: C:\WINDOWS\SysWOW64\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 79499499551D1B2AE037EC1B339C7C36
SHA1 02AC8CCBC700129CC225064E68E573B124056F21
SHA256 0CB59520D3858469821D4BDE32E003CF4328F0931BC345473459EE071723D978
SHA384 732401671FECEDC4685385DD95B77948A87721C30EC9934FB0C5BAB1535611F492811E5645172F0F9C9602D3940A7098
SHA512 2D39FF26414634035CBBF6CB443FBB994E5201BD75B8E44A64711C65B374BFBC42A054EF2580B42A53F6424F7A08B8E16891801E3FDCD9A203DBE0931441008E
SSDEEP 3072:QScy6yGeW1lEe+6uU7Iil1Mp3cKAArDZz4N9GhbkUNEkP:3cy6PeAT+6uUEVpxyN90vE
IMP 8F67D8CB87D78E1C56993E7DD1A7198F
PESHA1 12C241F5204179A30F3F39CE62D6CD984F0C63EB
PE256 EAB6B16CBCE657296993EEE4FFD741A90E771CD4E741E187867A0DDBB5FDF870

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454\comctl32.dll.mui File
(RW-) C:\Windows File
(RW-) C:\Windows\SysWOW64 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.22000.1_en-us_b335b4dbed333454 File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.22000.120_none_e541a94fcce8ed6d File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\Windows\Theme1077709572 Section
\Windows\Theme3461253685 Section

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/0cb59520d3858469821d4bde32e003cf4328f0931bc345473459ee071723d978/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wextract.exe 57
C:\windows\system32\wextract.exe 57
C:\Windows\system32\wextract.exe 57
C:\Windows\system32\wextract.exe 58
C:\WINDOWS\system32\wextract.exe 57
C:\Windows\system32\wextract.exe 58
C:\WINDOWS\system32\wusa.exe 61
C:\Windows\system32\wusa.exe 47
C:\WINDOWS\system32\wusa.exe 36
C:\windows\system32\wusa.exe 43
C:\Windows\system32\wusa.exe 27
C:\Windows\system32\wusa.exe 27
C:\Windows\system32\wusa.exe 36
C:\WINDOWS\SysWOW64\wextract.exe 61
C:\WINDOWS\SysWOW64\wextract.exe 54
C:\Windows\SysWOW64\wextract.exe 58
C:\Windows\SysWOW64\wextract.exe 57
C:\windows\SysWOW64\wextract.exe 57
C:\Windows\SysWOW64\wextract.exe 57
C:\Windows\SysWOW64\wusa.exe 40
C:\Windows\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 38
C:\WINDOWS\SysWOW64\wusa.exe 40
C:\windows\SysWOW64\wusa.exe 43

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.