mavinject.exe

File Path: C:\WINDOWS\SysWOW64\mavinject.exe
Description: Microsoft Application Virtualization Injector

Hashes

Type	Hash
MD5	`639104A1BBEE03C2101A3FDC4FB4DF8A`
SHA1	`FDC687F71E0967C1A736D4BEDA909ECD8997386A`
SHA256	`FF1BD8083BC74BA555BD8BBCF39E364039DD1493E72E1F09E33169A09665EF88`
SHA384	`E8934F0AA8A6DF5F11B29124834E6276BEFD7A1522C83F5A0EEFBBF45C61A704018432B0F2771BCDA69411A07AFACF66`
SHA512	`201CE60A3949E5CDD007FB0CD56948B8AF6CA427CBBDB2CDF350E80BCC1223E873F075AE838BC4D2E196EF5F3B1DA285C77E0B460365EDBFB12328E9AB76599F`
SSDEEP	`1536:R1J2v/FmTGDRbNubo7yfkgG6W4fXSoDEnAkbGwCL5i7XdInYw/f1uzhD9kyldS/F:R1Uv/Fmmt0fSoD7CcbMB9Hdc9Pw/4`
IMP	`BB13B2E2A13ED3D677AEED382ADAE1FA`
PESHA1	`24E33AEC0A0E851B9505B4A47460B1B13C979265`
PE256	`595F80617BD08393FE6802A20C3007866A82CF03CA807CD1322B85B937450A8E`

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\System32\wow64.dll
C:\WINDOWS\System32\wow64base.dll
C:\WINDOWS\System32\wow64con.dll
C:\WINDOWS\System32\wow64cpu.dll
C:\WINDOWS\System32\wow64win.dll
C:\WINDOWS\SysWOW64\mavinject.exe

Signature

Status: Signature verified.
Serial: 33000002ED2C45E4C145CF48440000000002ED
Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: mavinject32.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.22000.1 (WinBuild.160101.0800)
Product Version: 10.0.22000.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.
Machine Type: 32-bit

File Scan

VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File	Score
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe	33
C:\Windows\SysWOW64\mavinject.exe	40
C:\Windows\SysWOW64\mavinject.exe	36
C:\Windows\SysWOW64\mavinject.exe	40
C:\WINDOWS\SysWOW64\mavinject.exe	38
C:\Windows\SysWOW64\mavinject.exe	57
C:\Windows\SysWOW64\mavinject.exe	40
C:\Windows\SysWOW64\mavinject.exe	60

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_creation_mavinject_dll.yml	`title: Mavinject Inject DLL Into Running Process`	DRL 1.0
sigma	proc_creation_win_creation_mavinject_dll.yml	`OriginalFileName\\|contains: mavinject`	DRL 1.0
sigma	proc_creation_win_mavinject_proc_inj.yml	`title: MavInject Process Injection`	DRL 1.0
sigma	proc_creation_win_mavinject_proc_inj.yml	`- https://reaqta.com/2017/12/mavinject-microsoft-injector/`	DRL 1.0
LOLBAS	Mavinject.yml	`Name: Mavinject.exe`
LOLBAS	Mavinject.yml	`- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll`
LOLBAS	Mavinject.yml	`- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"`
LOLBAS	Mavinject.yml	`- Path: C:\Windows\System32\mavinject.exe`
LOLBAS	Mavinject.yml	`- Path: C:\Windows\SysWOW64\mavinject.exe`
LOLBAS	Mavinject.yml	`- IOC: mavinject.exe should not run unless APP-v is in use on the workstation`
atomic-red-team	index.md	- Atomic Test #1: Process Injection via mavinject.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: mavinject - Inject DLL into running process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Process Injection via mavinject.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: mavinject - Inject DLL into running process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	- Atomic Test #1 - Process Injection via mavinject.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	## Atomic Test #1 - Process Injection via mavinject.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	mavinject $mypid /INJECTRUNNING #{dll_payload}	MIT License. © 2018 Red Canary
atomic-red-team	T1056.004.md	mavinject $pid /INJECTRUNNING #{file_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	- Atomic Test #1 - mavinject - Inject DLL into running process	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	## Atomic Test #1 - mavinject - Inject DLL into running process	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}	MIT License. © 2018 Red Canary
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`name: Signed Binary Execution - Mavinject`	Apache-2.0
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`description: Leverage Mavinject (signed binary) for DLL injection`	Apache-2.0
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`mavinject.exe $explorer.id C:\Users\Public\sandcat.dll`	Apache-2.0