wusa.exe

  • File Path: C:\WINDOWS\system32\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 7E8AE39BE13B6F0A7CAD480B7148123F
SHA1 7C564D675A33EEA6A7F5952935416311B0087A05
SHA256 B38C8C76D561271BA6F49AD9645D06CD8C1733CFD55E4FDAEED1D41682D67BAF
SHA384 DB02F90A695E7F0C4A5F001E9BEFC2C02C65C0BDDDE9F96C7509B40E7EF46953F7236D922D41C6AD4FC39AC23531F34D
SHA512 621A4B1DE59A9A2CDF1D8F591B4BB27162C6F932DD638F38D777F3C0EB47539E1F24C3B0AB48F9AE023F53EB18F60FAF1691C6867DBD5C38A339C3ED28BDC502
SSDEEP 6144:LlNRXjJMGrLIirYc+MHxM8cp98pxyN90vE:LlXTyGrxrYxMHxMf8y90

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\PkgMgr.exe 47
C:\WINDOWS\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 58
C:\windows\system32\wusa.exe 47
C:\Windows\system32\wusa.exe 44
C:\Windows\system32\wusa.exe 44
C:\Windows\system32\wusa.exe 41
C:\Windows\SysWOW64\wusa.exe 35
C:\Windows\SysWOW64\wusa.exe 47
C:\Windows\SysWOW64\wusa.exe 46
C:\WINDOWS\SysWOW64\wusa.exe 36
C:\Windows\SysWOW64\wusa.exe 43
C:\WINDOWS\SysWOW64\wusa.exe 36
C:\windows\SysWOW64\wusa.exe 38

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.