mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 3196E7F92E0B4367444A185B5A4E757D
SHA1 34A26DEA01EA4A421F5512D1DEED5CDD0A4CCE59
SHA256 CFBCA5DDE322DD0CC6DD07412589B532B59302D4D7B1739BE248F9CDD24CD8E6
SHA384 6F1A5D44FFF031E592DD685D3A4E6CA141AA7E471CFEA8D17BCFC7D9B9BA6BA90B13B2819A688056A0478F39FB5D4726
SHA512 AE0D34ED7377C22715E620C827FAB62801234EC687294BF29BAE2BDD2126BED14464984F197ED70CD3372B3BFA07DFC213C2A6DEF250F0D5E8DEB4AEB0BB9899
SSDEEP 3072:1u/7/Qapj1CpO3KTWGNU6ITT9KoN7Dq6DUv:1KQapJCpO4WGNU6ITT9KG0v

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.14393.3659 (rs1_release_1.200410-1813)
  • Product Version: 10.0.14393.3659
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\AppVDllSurrogate.exe 25
C:\WINDOWS\system32\AppVDllSurrogate.exe 32
C:\Windows\system32\AppVDllSurrogate.exe 44
C:\Windows\system32\AppVDllSurrogate.exe 29
C:\Windows\system32\AppVFileSystemMetadata.dll 32
C:\Windows\system32\AppVManifest.dll 35
C:\Windows\system32\AppVNice.exe 35
C:\Windows\system32\AppVNice.exe 38
C:\Windows\system32\AppVNice.exe 36
C:\WINDOWS\system32\AppVNice.exe 50
C:\Windows\system32\AppVScripting.dll 30
C:\Windows\system32\AppVShNotify.exe 35
C:\Windows\system32\AppVShNotify.exe 38
C:\WINDOWS\system32\AppVShNotify.exe 36
C:\Windows\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVStreamingUX.dll 36
C:\Windows\system32\AppVStreamMap.dll 40
C:\Windows\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 25
C:\WINDOWS\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 33

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.