wusa.exe

  • File Path: C:\Windows\system32\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 8A0B789F779802881EEAC4F99532A35C
SHA1 5E01067FDAA7EB84CEDEF00D0D3C238455DB4846
SHA256 2AF3885AB02E20B64C60AE7D8E2B3E07667529C5A7699CE16AD83D33AB781020
SHA384 0CEF8CA30B8F007432E455C3842C21E23E8AFBE3516AF440F64D70BCAE0AEDA7D6F056B2EE3E021B81DF7D77550E22D8
SHA512 0567735C1D47FB0CC54FE76045250B79911A1308112047BE158F32D04347E2BAD6F6A15B1369AA7C8A60BEC347F721924F26F9F1FDC5889FC3241BEF017A32D9
SSDEEP 6144:3qOUK0HBOfIkdjnI+iczCL4cM0ZggD32bItObtMHxM8cL9hpxyN90vE:3qOaBOfIkdjnI+iGCL4cMkggD32bItO5
IMP 9565B2082CB4F1BF01973EA3AEE6DC58
PESHA1 36268FE565B9F49B72B916CA6EF4A0818D548D46
PE256 F5CCD290D6D71F707F0C749BEB56674ED7021E22BF36B2C8A5575F150C4EA4C0

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_ca04af081b815d21 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/2af3885ab02e20b64c60ae7d8e2b3e07667529c5a7699ce16ad83d33ab781020/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 44
C:\WINDOWS\system32\wusa.exe 44
C:\windows\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 86
C:\Windows\system32\wusa.exe 44
C:\Windows\SysWOW64\wusa.exe 36
C:\Windows\SysWOW64\wusa.exe 38
C:\Windows\SysWOW64\wusa.exe 38
C:\WINDOWS\SysWOW64\wusa.exe 27
C:\Windows\SysWOW64\wusa.exe 35
C:\WINDOWS\SysWOW64\wusa.exe 32
C:\windows\SysWOW64\wusa.exe 33

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.