wusa.exe

  • File Path: C:\Windows\SysWOW64\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 A60D32269A6A6E7BFDC50E22A70B8F54
SHA1 2ABB4D5643A058FCCAED525F878925ECEF5A660F
SHA256 5AE6A1F1135E9423D4CB409967591F776F7729C7B784E76380B4C727B89538AA
SHA384 F59D684F028480386F99C240A049A11DAD63DCF323212F3DC0C014326AA3925F7A9D5AB3D18B9B5F2E466BB56E3FEF28
SHA512 2166094A30E6F12E2B271022832DBC42FF23C9AD39C110A530D3842410ED79CAA0F8A5740F4AD17C03B9FFC74624B96BBB76962A3FCF65C8102FC6AF9E810509
SSDEEP 6144:Mcd8nRccMw5wypbQQYkYsy09vpxyN90vE:MO8nRcU5h1BYkHyy/y90
IMP 8B0E6AE8A465FE06366AC61E225F215E
PESHA1 CBF355B57F770B567D6A4A5D92BFEA385F96432E
PE256 4EEFC5C066D2FA602B89EF79B7C8711DA20161A5D66B4E336B62973F3A83E7E5

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_130e63d987a738df File
(RW-) C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.488_none_11b1e5df2ffd8627 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme1175649999 Section
\Windows\Theme601709542 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/76
  • VirusTotal Link: https://www.virustotal.com/gui/file/5ae6a1f1135e9423d4cb409967591f776f7729c7b784e76380b4c727b89538aa/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wusa.exe 41
C:\Windows\system32\wusa.exe 40
C:\WINDOWS\system32\wusa.exe 43
C:\windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 35
C:\Windows\system32\wusa.exe 38
C:\Windows\system32\wusa.exe 36
C:\Windows\SysWOW64\wusa.exe 54
C:\Windows\SysWOW64\wusa.exe 75
C:\Windows\SysWOW64\wusa.exe 55
C:\WINDOWS\SysWOW64\wusa.exe 38
C:\WINDOWS\SysWOW64\wusa.exe 49
C:\windows\SysWOW64\wusa.exe 50

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.