mavinject.exe

  • File Path: C:\Windows\SysWOW64\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 651259747F1C4401A88A23AD816BB0ED
SHA1 51372A353D20F969F65EFD770130742ABF14729B
SHA256 4D27AF387D4A9475ADD1BF427B2FA0E9420F7D85DFCF4285734D400A531AB758
SHA384 5E3B4AD587649E46CDF489FF1E4235DA88562137803DF19540778CC260575DD84E9A9DFFA40B2CB5AC32D456C50864ED
SHA512 3AAC135ABD2F4CA2DDE6DAE5CA6044DC28F7E95EA5A0758101CA06F878B3328B4E4FB00E60AE4DB77C95EF553F62302C0FB5F7140A36DC3791C24DE5C6DAE6B9
SSDEEP 3072:TvYvmmt0fSoD7WHKs+PtKkiIoqf1CXgFW:TvQmmt0fSoD7WHV+PSgc
IMP 92734E64BEDF9E93EEC501508D2B049C
PESHA1 F9A2463B50048B826B283DE40A4D928148DEFA93
PE256 439E98DEDB3FD31B67D62D96C0F070C8CF9567FB220C05F44351CDE9AEC0E7A3

Runtime Data

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\mavinject.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject32.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1202 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1202
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/4d27af387d4a9475add1bf427b2fa0e9420f7d85dfcf4285734d400a531ab758/detection

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe 46
C:\Program Files (x86)\Microsoft Office\root\Client\AppVLP.exe 33
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe 29
C:\Windows\SysWOW64\mavinject.exe 66
C:\WINDOWS\SysWOW64\mavinject.exe 40
C:\Windows\SysWOW64\mavinject.exe 43
C:\WINDOWS\SysWOW64\mavinject.exe 57
C:\Windows\SysWOW64\mavinject.exe 41
C:\Windows\SysWOW64\mavinject.exe 85
C:\Windows\SysWOW64\mavinject.exe 35

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma proc_creation_win_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.