MSUpdater String in Executable

Hunt Hypothesis

Adversaries may embed MSUpdater string in executables to disguise malicious payloads or evade detection by mimicking legitimate Windows update mechanisms. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential malware obfuscation tactics and mitigate advanced threats that leverage trusted system components.

YARA Rule

rule Malware_MsUpdater_String_in_EXE  
{

    meta:
        description = "MSUpdater String in Executable"
        author = "Florian Roth"
        score = 50
        reference = "VT Analysis"
        date = "2015-06-03"
        hash = "b1a2043b7658af4d4c9395fa77fde18ccaf549bb"

    strings:
        $x1 = "msupdate.exe" fullword wide /* PEStudio Blacklist: strings */ /* score: '20.01' */
        // $x2 = "msupdate" fullword wide /* PEStudio Blacklist: strings */ /* score: '13.01' */
        $x3 = "msupdater.exe" fullword ascii /* PEStudio Blacklist: strings */ /* score: '20.02' */
        $x4 = "msupdater32.exe" fullword ascii
        $x5 = "msupdater32.exe" fullword wide
        $x6 = "msupdate.pif" fullword ascii
        $fp1 = "_msupdate_" wide /* False Positive */
        $fp2 = "_msupdate_" ascii /* False Positive */
        $fp3 = "/kies" wide

    condition:
        uint16(0) == 0x5a4d and filesize < 500KB and ( 1 of ($x*) ) and not ( 1 of ($fp*) ) 
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 9 string patterns in its detection logic.

References

• VT Analysis
• Source Rule

False Positive Guidance

• Scenario: Microsoft Windows Update Agent (wuauserv) running as part of a scheduled task to check for updates
  Filter/Exclusion: process.parent_process_name == "schtasks.exe" or process.parent_process_name == "taskhost.exe"

• Scenario: Microsoft System Configuration Tool (msconfig) being used by an administrator to manage startup items
  Filter/Exclusion: process.name == "msconfig.exe" or process.parent_process_name == "explorer.exe"

• Scenario: Microsoft Deployment Toolkit (MDT) running during an OS deployment process
  Filter/Exclusion: process.name == "setup.exe" or process.parent_process_name == "msdt.exe"

• Scenario: Microsoft Endpoint Configuration Manager (formerly SCCM) running a software update scan
  Filter/Exclusion: process.name == "ccmexec.exe" or process.parent_process_name == "smsexec.exe"

• Scenario: Microsoft PowerShell script running a legitimate update check or system maintenance task
  Filter/Exclusion: process.name == "powershell.exe" and process.command_line contains "Update-Module" or "Get-Hotfix"