wusa.exe

  • File Path: C:\Windows\system32\wusa.exe
  • Description: Windows Update Standalone Installer

Screenshot

wusa.exe

Hashes

Type Hash
MD5 E43499EE2B4CF328A81BACE9B1644C5D
SHA1 B2B55641F2799E3FDB3BEA709C9532017BBAC59D
SHA256 3E30230BBF3CEEE3E58162B61EED140E9616210833A6AD7DF3E106BC7492D2FB
SHA384 4955918AE67A41A2A46F874689A39A299656F1FE137F47EEEC0AA5A6EE53D1D1D91DA703E8A05341906E08B830659178
SHA512 04823764520871F9202D346B08A194BDD5F5929DB6D5C2F113911F84AECE7471C8D3BD2C4256119A303DBE18A0C055DBC5034D80B1F27A43744104544731F52B
SSDEEP 6144:wyOES0wBOfIkdjnI+iczCL4cM0ZggD32bItobtMHxM8cs9YpxyN90vE:wymlBOfIkdjnI+iGCL4cMkggD32bItoL
IMP D5DF0EEDD7391E2E10449234FFBF3BF0
PESHA1 D403D38AAB04CAB36D4BEFBC663C4B91EE4D50EE
PE256 90069614E4D317DCE250F12B102A9F190588983EBB319084C3BB9E4281D01DE5

Runtime Data

Window Title:

Windows Update Standalone Installer

Open Handles:

Path Type
(R-D) C:\Windows\Fonts\StaticCache.dat File
(R-D) C:\Windows\System32\en-US\duser.dll.mui File
(R-D) C:\Windows\System32\en-US\KernelBase.dll.mui File
(R-D) C:\Windows\System32\en-US\wusa.exe.mui File
(R-D) C:\Windows\SystemResources\imageres.dll.mun File
(R-D) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9\comctl32.dll.mui File
(RW-) C:\Users\user File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.19041.1_en-us_cb612d02732b0fd9 File
(RW-) C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.19041.1110_none_60b5254171f9507e File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2 Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\1\Windows\Theme449731986 Section
\Windows\Theme1396518710 Section

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll
C:\Windows\system32\wusa.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: wusa.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/3e30230bbf3ceee3e58162b61eed140e9616210833a6ad7df3e106bc7492d2fb/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 49
C:\WINDOWS\system32\wusa.exe 44
C:\windows\system32\wusa.exe 33
C:\Windows\system32\wusa.exe 86
C:\Windows\system32\wusa.exe 40
C:\Windows\SysWOW64\wusa.exe 36
C:\Windows\SysWOW64\wusa.exe 41
C:\Windows\SysWOW64\wusa.exe 35
C:\WINDOWS\SysWOW64\wusa.exe 27
C:\Windows\SysWOW64\wusa.exe 38
C:\WINDOWS\SysWOW64\wusa.exe 35
C:\windows\SysWOW64\wusa.exe 32

Possible Misuse

The following table contains possible examples of wusa.exe being misused. While wusa.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma file_event_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml description: Detects the pattern of UAC Bypass using NTFS reparse point and wusa.exe DLL hijacking (UACMe 36) DRL 1.0
sigma proc_creation_win_uac_bypass_ntfs_reparse_point.yml CommandLine\|startswith: '"C:\Windows\system32\wusa.exe" /quiet C:\Users\' DRL 1.0
signature-base apt_thrip.yar $s5 = “wusa.exe” fullword ascii CC BY-NC 4.0
signature-base apt_thrip.yar $s4 = “wusa.exe” fullword ascii CC BY-NC 4.0

MIT License. Copyright (c) 2020-2021 Strontic.