WSReset.exe

  • File Path: C:\WINDOWS\system32\WSReset.exe
  • Description: This tool resets the Windows Store without changing account settings or deleting installed apps

Hashes

Type Hash
MD5 995126C0032052970C0A5F89AB34A325
SHA1 E1E6481CDC1487BD620FE3E2B1019C26D2F70CD4
SHA256 0EDD534686643B1770D6897EAB387B9D2A82FC57593ADA049F1DC807FE792253
SHA384 3A91401FA18780764CCFAB84792BB9C27CC547444D2E4C2C48330F79F7FE9056062F43AA6A97C32B3B11C5BDE5C5AE43
SHA512 9682B08434A1EE77B1FBD368978861E2C5135F121569F4432481D8E9C793E96477F01AAE3629113EC05C6678CCDDD07795B1A4B70D950C9AB5FAFF6C125B6634
SSDEEP 768:I/YIv7YzH5FVHnwgdie0+yYqN1Nsn4FOBkStBWo:mYIkbHVHn58VNGg0Yo
IMP AB03184F9306BF7E8482C6F987BA1832
PESHA1 9B6275F3071E0BBE9495AD4F2A5D0B72B55190E0
PE256 A3037D8776C84176FAABC039C1C2B289EA63784D037ADA00F57A34FB7FAAAB47

Runtime Data

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Windows\System32 File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section
\Sessions\2\BaseNamedObjects\windows_shell_global_counters Section

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\WSReset.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: WSReset.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/74
  • VirusTotal Link: https://www.virustotal.com/gui/file/0edd534686643b1770d6897eab387b9d2a82fc57593ada049f1dc807fe792253/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\WSCollect.exe 38
C:\Windows\system32\WSCollect.exe 44
C:\Windows\system32\WSCollect.exe 43
C:\Windows\system32\WSCollect.exe 40
C:\Windows\system32\WSCollect.exe 47
C:\WINDOWS\system32\WSCollect.exe 40
C:\Windows\system32\WSReset.exe 47
C:\Windows\system32\WSReset.exe 47
C:\Windows\system32\WSReset.exe 43
C:\Windows\system32\WSReset.exe 40
C:\WINDOWS\system32\WSReset.exe 47

Possible Misuse

The following table contains possible examples of WSReset.exe being misused. While WSReset.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_uac_bypass_wsreset.yml title: UAC Bypass WSReset DRL 1.0
sigma win_uac_bypass_wsreset.yml description: Detects the pattern of UAC Bypass via WSReset usable by default sysmon-config DRL 1.0
sigma win_uac_bypass_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma win_uac_bypass_wsreset.yml Image\|endswith: '\wsreset.exe' DRL 1.0
sigma win_uac_wsreset.yml title: Bypass UAC via WSReset.exe DRL 1.0
sigma win_uac_wsreset.yml description: Identifies use of WSReset.exe to bypass User Account Control. Adversaries use this technique to execute privileged processes. DRL 1.0
sigma win_uac_wsreset.yml ParentImage\|endswith: '\wsreset.exe' DRL 1.0
sigma win_wsreset_uac_bypass.yml title: Wsreset UAC Bypass DRL 1.0
sigma win_wsreset_uac_bypass.yml description: Detects a method that uses Wsreset.exe tool that can be used to reset the Windows Store to bypass UAC DRL 1.0
sigma win_wsreset_uac_bypass.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset/ DRL 1.0
sigma win_wsreset_uac_bypass.yml - '\WSreset.exe' DRL 1.0
sigma win_wsreset_uac_bypass.yml - Unknown sub processes of Wsreset.exe DRL 1.0
sigma sysmon_bypass_via_wsreset.yml title: UAC Bypass Via Wsreset DRL 1.0
sigma sysmon_bypass_via_wsreset.yml description: Unfixed method for UAC bypass from windows 10. WSReset.exe file associated with the Windows Store. It will run a binary file contained in a low-privilege registry. DRL 1.0
sigma sysmon_bypass_via_wsreset.yml - https://lolbas-project.github.io/lolbas/Binaries/Wsreset DRL 1.0
LOLBAS Wsreset.yml Name: Wsreset.exe  
LOLBAS Wsreset.yml - Command: wsreset.exe  
LOLBAS Wsreset.yml Description: During startup, wsreset.exe checks the registry value HKCU\Software\Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command for the command to run. Binary will be executed as a high-integrity process without a UAC prompt being displayed to the user.  
LOLBAS Wsreset.yml - Path: C:\Windows\System32\wsreset.exe  
LOLBAS Wsreset.yml - IOC: wsreset.exe launching child process other than mmc.exe  
atomic-red-team T1548.002.md Target: \system32\WSReset.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.