mavinject.exe
- File Path:
C:\Windows\SysWOW64\mavinject.exe
- Description: Microsoft Application Virtualization Injector
Hashes
Type | Hash |
---|---|
MD5 | 644673C741AB152A3E8904A5B4080489 |
SHA1 | 0DFA1403967ACCCFD15D608B69B7C327ED5BBEB5 |
SHA256 | 18AF462A5EE58BF8BFA175BA734CE91B48E28C7859CA57AB18B5948D1A4B35DD |
SHA384 | 3306653037A4D3B4F88DD29E8B77E837F6798B252CECAA51F61FECF78770F7FAE815A6CD646462ACB5F655B40A7269AF |
SHA512 | 9EAA3DDFF753ED4A0D6B47FFE5815409F3D39D8DCFA7ADC5FF2BFF0167F908AFF34B051BD8511E97BB985F8DEFA3B2A30CD79504AD639829ED274DC46F975556 |
SSDEEP | 3072:nQ7FmBt0fSoD79hILhpVVrujzKdu5ommZPEAkp8:imBt0fSoD79hOLazAZ |
Signature
- Status: Signature verified.
- Serial:
3300000266BD1580EFA75CD6D3000000000266
- Thumbprint:
A4341B9FD50FB9964283220A36A1EF6F6FAA7840
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
File Metadata
- Original Filename: mavinject32.exe
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.14393.3659 (rs1_release_1.200410-1813)
- Product Version: 10.0.14393.3659
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
File Similarity (ssdeep match)
Possible Misuse
The following table contains possible examples of mavinject.exe
being misused. While mavinject.exe
is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
Source | Source File | Example | License |
---|---|---|---|
sigma | proc_creation_win_creation_mavinject_dll.yml | title: Mavinject Inject DLL Into Running Process |
DRL 1.0 |
sigma | proc_creation_win_creation_mavinject_dll.yml | OriginalFileName\|contains: mavinject |
DRL 1.0 |
sigma | proc_creation_win_mavinject_proc_inj.yml | title: MavInject Process Injection |
DRL 1.0 |
sigma | proc_creation_win_mavinject_proc_inj.yml | - https://reaqta.com/2017/12/mavinject-microsoft-injector/ |
DRL 1.0 |
LOLBAS | Mavinject.yml | Name: Mavinject.exe |
|
LOLBAS | Mavinject.yml | - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll |
|
LOLBAS | Mavinject.yml | - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll" |
|
LOLBAS | Mavinject.yml | - Path: C:\Windows\System32\mavinject.exe |
|
LOLBAS | Mavinject.yml | - Path: C:\Windows\SysWOW64\mavinject.exe |
|
LOLBAS | Mavinject.yml | - IOC: mavinject.exe should not run unless APP-v is in use on the workstation |
|
atomic-red-team | index.md | - Atomic Test #1: Process Injection via mavinject.exe [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | index.md | - Atomic Test #1: mavinject - Inject DLL into running process [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: Process Injection via mavinject.exe [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | windows-index.md | - Atomic Test #1: mavinject - Inject DLL into running process [windows] | MIT License. © 2018 Red Canary |
atomic-red-team | T1055.001.md | - Atomic Test #1 - Process Injection via mavinject.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1055.001.md | ## Atomic Test #1 - Process Injection via mavinject.exe | MIT License. © 2018 Red Canary |
atomic-red-team | T1055.001.md | Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. | MIT License. © 2018 Red Canary |
atomic-red-team | T1055.001.md | mavinject $mypid /INJECTRUNNING #{dll_payload} | MIT License. © 2018 Red Canary |
atomic-red-team | T1056.004.md | mavinject $pid /INJECTRUNNING #{file_name} | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | - Atomic Test #1 - mavinject - Inject DLL into running process | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | ## Atomic Test #1 - mavinject - Inject DLL into running process | MIT License. © 2018 Red Canary |
atomic-red-team | T1218.md | mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} | MIT License. © 2018 Red Canary |
stockpile | e5bcefee-262d-4568-a261-e8a20855ec81.yml | name: Signed Binary Execution - Mavinject |
Apache-2.0 |
stockpile | e5bcefee-262d-4568-a261-e8a20855ec81.yml | description: Leverage Mavinject (signed binary) for DLL injection |
Apache-2.0 |
stockpile | e5bcefee-262d-4568-a261-e8a20855ec81.yml | mavinject.exe $explorer.id C:\Users\Public\sandcat.dll |
Apache-2.0 |
MIT License. Copyright (c) 2020-2021 Strontic.