MPSIGSTUB.EXE significa Microsoft Malware Protection Signature Stub, y forma parte del software Microsoft Security Essentials. Normalmente un usuario se encuentra con este archivo cuando necesita actualizar manualmente las bases de datos de este antivirus. Veamos en qué consiste este proceso. Índice
¿Qué es el proceso MPSIGSTUB.EXE?
Los datos básicos
El proceso sólo aparece en la lista del Administrador de tareas cuando Security Essentials está instalado y la actualización se está ejecutando. Por lo tanto, es difícil de seguir.
Ubicación del archivo
Pulse el botón «Comienza». en la barra de tareas y en el campo «Buscar programas y archivos» Entrar . «MPSIGSTUB.EXE». Los resultados de la búsqueda muestran una línea con el siguiente texto «MPSIGSTUB». Haga clic con el botón derecho del ratón y pulse en el menú que aparece «Ubicación del archivo».
Abre el directorio que contiene el objeto buscado.
La ruta completa del archivo de proceso es la siguiente.
C:WindowsSystem32mpsigstub.exe
El fichero también puede ser localizado como parte de un archivo «mpam-feX64», diseñado para actualizar Security Essentials.
Destino
MPSIGSTUB.EXE es una aplicación que ejecuta el proceso de actualización del famoso antivirus de Microsoft. Para ver información sobre el archivo en la carpeta «Sistema32» haga clic con el botón derecho del ratón y haga clic en «Propiedades»..
Se abre la ventana de propiedades de MPSIGSTUB.EXE.
En la ficha. «Firmas digitales». puede ver que MPSIGSTUB.EXE tiene una firma digital de Microsoft Corporation que confirma su autenticidad.
Proceso de inicio y fin
El proceso especificado se inicia cuando se actualiza Security Essentials y finaliza automáticamente al terminar.
Leer más: Actualización manual de las bases de datos de Microsoft Security Essentials
Falsificación de software antivirus
Muy a menudo los programas de virus se disfrazan bajo el proceso especificado.
- Aparece en el Administrador de Tareas durante un largo periodo de tiempo;
- No tiene firma digital;
- La ubicación difiere de las anteriores.
Por lo tanto, un archivo es malicioso si:
Puede utilizar la conocida utilidad Dr.Web CureIt para eliminar la amenaza.
Tal y como reveló la revisión, la presencia de MPSIGSTUB.EXE en el sistema se debe principalmente a la presencia del antivirus Microsoft Security Essentials instalado. Al mismo tiempo, el proceso puede ser falseado por programas de virus, que se detectan y eliminan fácilmente escaneando con las utilidades adecuadas.
Nos alegramos de haber podido ayudarle con su problema.
Describa lo que no le ha funcionado.
Nuestros especialistas tratarán de responder con la mayor rapidez posible.
¿Le ha ayudado este artículo?
Persistence Writes data to a remote process Fingerprint Queries process information Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details. details Process "MpSigStub.exe" has a system process name but is not located in a Windows [sub-]directory
[Show Process] sourceMonitored Targetrelevance3/10 details "mpam-cb47092c.exe" wrote 32 bytes to a remote process "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe" [Handle: 88] Incident Response
Risk Assessment
Reads the active computer name Evasive Marks file for deletion
Possibly checks for the presence of an Antivirus engine Indicators
"mpam-cb47092c.exe" wrote
52 bytes to a remote process "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe" [Handle: 88]
"mpam-cb47092c.exe" wrote 8 bytes to a remote process "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe" [Handle: 88] sourceAPI Callrelevance6/10
- Anti-Reverse Engineering
-
Looks up many procedures within the same disassembly stream [often used to hide usage]
details Found 11 calls to from MpSigStub.exe [PID: 3728] [Show Stream]
Found 11 calls to [Show Stream] sourceHybrid Analysis Technologyrelevance10/10 -
PE file has unusual entropy sections
details .rsrc
.rsrc
.rsrc with unusual entropies 7.9988033415
7.92955882347
7.9902743103 sourceStatic Parserrelevance 10/10
-
Looks up many procedures within the same disassembly stream [often used to hide usage]
- Environment Awareness
- Contains ability to query CPU information
-
Reads the active computer name
details "MpSigStub.exe" [Path: "HKLM\SYSTEM\CONTROLSET001\CONTROL\COMPUTERNAME\ACTIVECOMPUTERNAME"; Key: "COMPUTERNAME"] sourceRegistry Access relevance5/10
- General
- Contains ability to find and load resources of a specific module
details from MpSigStub.exe [PID: 3728] [Show Stream] sourceHybrid Analysis Technologyrelevance1/10
- Contains ability to find and load resources of a specific module
- Installation/Persistance
- Creates new processes
details "mpam-cb47092c.exe" is creating a new process [Name: "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe", Handle: 88] sourceAPI Callrelevance8/10
- Drops executable files
details "MpSigStub.exe" has type "PE32+ executable [GUI] x86-64 for MS Windows"
"mpavdlta.vdm" has type "PE32+ executable [DLL] [console] x86-64 for MS Windows"
"mpasdlta.vdm" has type "PE32+ executable [DLL] [console] x86-64 for MS Windows" sourceExtracted Filerelevance10/10
- Creates new processes
- Spyware/Information Retrieval
- Contains ability to enumerate processes/modules/threads
- System Destruction
-
Marks file for deletion
details "C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.1.15600.4_to_1.1.15700.8_mpengine.dll._p" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpasbase.vdm._p" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpavbase.vdm._p" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpavdlta.vdm" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpasdlta.vdm" for deletion
"C:\mpam-cb47092c.exe" marked "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192" for deletion sourceAPI Callrelevance10/10 - Opens file with
deletion access rights
details "mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpavdlta.vdm" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpavbase.vdm._p" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpasdlta.vdm" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpasbase.vdm._p" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.1.15600.4_to_1.1.15700.8_mpengine.dll._p" with delete access
"mpam-cb47092c.exe" opened "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192" with delete access sourceAPI Callrelevance 7/10
-
Marks file for deletion
- System Security
- Contains ability to elevate privileges
details [Show Stream] sourceHybrid Analysis Technologyrelevance10/10
- Contains ability to elevate privileges
- Unusual Characteristics
-
CRC value set in PE header does not match actual value
details "MpSigStub.exe" claimed CRC 643543 while the actual is CRC 13395281
"mpavdlta.vdm" claimed CRC 79392 while the actual is CRC 643543
"mpasdlta.vdm" claimed CRC 159882 while the actual is CRC 79392 sourceStatic Parserrelevance10/10 - Imports suspicious APIs
details RegCreateKeyExW
RegCloseKey
SetSecurityDescriptorDacl
OpenProcessToken
RegOpenKeyExW
GetFileAttributesW
GetTempPathW
GetModuleFileNameW
IsDebuggerPresent
UnhandledExceptionFilter
LoadLibraryExW
TerminateProcess
GetModuleHandleExW
CreateToolhelp32Snapshot
OpenProcess
GetStartupInfoW
CreateDirectoryW
DeleteFileW
GetProcAddress
WriteFile
GetFileSizeEx
FindNextFileW
FindFirstFileW
FindFirstFileExW
CreateFileW
Process32NextW
LockResource
GetCommandLineW
GetCommandLineA
Process32FirstW
GetModuleHandleW
FindResourceW
CreateProcessW
Sleep
NtQueryInformationProcess
RegDeleteValueW
StartServiceW
ConnectNamedPipe
CopyFileW
DisconnectNamedPipe
GetTickCount
NtQueryInformationFile sourceStatic Parserrelevance1/10 -
Timestamp in PE header is very old or in the future
details "MpSigStub.exe" claims program is from Sun May 18 18:23:40 2053 sourceStatic Parserrelevance10/10
-
CRC value set in PE header does not match actual value
- Hiding 4 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
- Anti-Reverse Engineering
- Contains ability to register a top-level exception handler [often used as anti-debugging trick]
- Environment Awareness
- Contains ability to query machine time
- Contains ability to query the machine version
- Possibly tries to detect the presence of a debugger
- External Systems
-
Sample was identified as clean by Antivirus engines
details 0/36 Antivirus vendors marked sample as malicious [0% detection rate]
0/69 Antivirus vendors marked sample as malicious [0% detection rate] sourceExternal Systemrelevance10/10
-
Sample was identified as clean by Antivirus engines
- General
- Contains PDB pathways
details "MpAdlStub.pdb"
"MpSigStub.pdb" sourceStringrelevance1/10 - Contains ability to create named pipes for inter-process communication [IPC]
details from MpSigStub.exe [PID: 3728] [Show Stream]
[Show Stream] sourceHybrid Analysis Technologyrelevance10/10 -
Creates a writable file in a temporary directory
details "mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.1.15600.4_to_1.1.15700.8_mpengine.dll._p"
"mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\MpSigStub.exe"
"mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpasbase.vdm._p"
"mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpasdlta.vdm"
"mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\1.285.0.0_to_1.287.0.0_mpavbase.vdm._p"
"mpam-cb47092c.exe" created file "%TEMP%\AD9AE8EF-1F45-4396-A46E-7D73CBA15192\mpavdlta.vdm"
"MpSigStub.exe" created file "%WINDIR%\Temp\MpSigStub.log" sourceAPI Callrelevance1/10 - Drops files marked as clean
details Antivirus vendors marked dropped file "MpSigStub.exe" as clean [type is "PE32+ executable [GUI] x86-64 for MS Windows"], Antivirus vendors marked dropped file "mpavdlta.vdm" as clean [type is "PE32+ executable [DLL] [console] x86-64 for MS Windows"], Antivirus vendors marked dropped file "mpasdlta.vdm" as clean [type is "PE32+ executable [DLL] [console] x86-64 for MS Windows"] sourceExtracted Filerelevance 10/10
- Process launched with changed environment
details Process "MpSigStub.exe" [Show Process] was launched with new environment variables: "UpdateTelemetryCV="+XlvDCxov06Zzzo+.1""
Process "MpSigStub.exe" [Show Process] was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "MpSigStub.exe" [Show Process] was launched with missing environment variables: "PROCESSOR_ARCHITEW6432" sourceMonitored Targetrelevance10/10 -
Spawns new processes
details Spawned process "MpSigStub.exe" with commandline "/stub 1.1.15500.2 /payload 1.287.13.0 /program C:\mpam-cb47092c. ..." [Show Process] sourceMonitored Targetrelevance3/10
-
Spawns new processes that are not known child processes
details Spawned process "MpSigStub.exe" with commandline "/stub 1.1.15500.2 /payload 1.287.13.0 /program C:\mpam-cb47092c. ..." [Show Process] sourceMonitored Targetrelevance3/10
-
The input sample is signed with a certificate
details The input sample is signed with a certificate issued by "CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" [SHA1: 9D:C1:78:88:B5:CF:AD:98:B3:CB:35:C1:99:4E:96:22:7F:06:16:75; see report for more information]
The input sample is signed with a certificate issued by "CN=Microsoft Time-Stamp PCA, O=Microsoft Corporation, L=Redmond, ST=Washington, C=US" [SHA1: 91:06:CF:90:5B:37:57:FE:63:FC:AD:51:D8:97:3A:B6:26:05:EA:37; see report for more information]
The input sample is signed with a certificate issued by "CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com" [SHA1: 3C:AF:9B:A2:DB:55:70:CA:F7:69:42:FF:99:10:1B:99:38:88:E2:57; see report for more information]
The input sample is signed with a certificate issued by "CN=Microsoft Root Certificate Authority, DC=microsoft, DC=com" [SHA1: 37:5F:CB:82:5C:3D:C3:75:2A:02:E3:4E:B7:09:93:B4:99:71:91:EF; see report for more information] sourceCertificate Datarelevance10/10
- Contains PDB pathways
- Installation/Persistance
-
Connects to LPC ports
details "MpSigStub.exe" connecting to "\ThemeApiPort" sourceAPI Callrelevance1/10
-
Dropped files
details "MpSigStub.exe" has type "PE32+ executable [GUI] x86-64 for MS Windows"
"1.285.0.0_to_1.287.0.0_mpavbase.vdm._p" has type "data"
"MpSigStub.log" has type "Little-endian UTF-16 Unicode text with CRLF CR line terminators"
"1.285.0.0_to_1.287.0.0_mpasbase.vdm._p" has type "data"
"mpavdlta.vdm" has type "PE32+ executable [DLL] [console] x86-64 for MS Windows"
"mpasdlta.vdm" has type "PE32+ executable [DLL] [console] x86-64 for MS Windows"
"1.1.15600.4_to_1.1.15700.8_mpengine.dll._p" has type "data" sourceExtracted Filerelevance3/10 -
Touches files in the Windows directory
details "mpam-cb47092c.exe" touched file "%WINDIR%\AppPatch\AppPatch64\sysmain.sdb"
"MpSigStub.exe" touched file "%WINDIR%\Temp\MpSigStub.log"
"MpSigStub.exe" touched file "%WINDIR%\Globalization\Sorting\SortDefault.nls" sourceAPI Callrelevance7/10
-
Connects to LPC ports
- Network Related
- Found potential URL in binary/memory
details Pattern match: "crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X"
Pattern match: "//www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z"
Pattern match: "//www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0"
Pattern match: "//crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T"
Pattern match: "www.microsoft.com/pki/certs/MicrosoftRootCert.crt0"
Pattern match: "//www.microsoft.com/wdsi0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicCodSigPCA_2010-07-06.crl0Z"
Pattern match: "//www.microsoft.com/pki/certs/MicCodSigPCA_2010-07-06.crt0"
Pattern match: "crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z"
Pattern match: "//www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0"
Pattern match: "www.microsoft.com/PKI/docs/CPS/default.htm0@"
Pattern match: "crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z"
Pattern match: "//www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0"
Heuristic match: "k
- Found potential URL in binary/memory