EchoTrail

msbuild.exe

Source: Wild

Summary

MSBuild.exe is Microsoft's Build Engine. It is a platform used to build applications and is part of Microsoft Visual Studio. Visual Studio depends on MSBuild, but MSBuild can also be used independently.

EchoTrail Prevalence Score (EPS)

30.48

Rank Analysis

Host Prevalence

2.1%

Execution Rank

1,523rd

Behavioral Analysis

Top Hashes

e92325c4ae73cefeb2ec0c238bfc781189e9391a7f5f7bb3004b735ce9a763ed

38.06 %

Top Paths

C:\Program Files (x86)\Microsoft Visual Studio\2017\Community\MSBuild\15.0\Bin

37.88 %

Top Network Ports

8000

100.00 %

Ancestry Analysis

Top GrandParents

Top Parents

Top Children

Security Analysis

Intel

Given MSBuild’s ability to process higher level code (e.g. C++ and .NET) on the fly, it has become a popular native Windows tool being leveraged during advanced attacks and pentests. It is sometimes found in malicious activity involving the compiling or running of malware. One common method of compiling and running malicious code using MSBuild is to provide it with a malicious .csproj file, which can be seen in the abused MSBuild’s command line. Examining what processes are launched by a suspicious MSBuild process can help one infer what the suspicious code is doing.