mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 72D5E2A3FF5D88C891E0DF1AA28B6422
SHA1 3627AD593F3A956FA07382914B52AAB5CE98C817
SHA256 ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139
SHA384 F27A10016B162488E08BFED343C61EA346962F78E977120A97206418F81175AF0B93EA5242AD78A22F6F748F83D8F8BA
SHA512 B043F3BDF67CA9097E2B0188BC3CB1F7EAECEB3BE027DDFBF636F873366D53F075B3FC7D5BDEED79622C5D9BFC1033354637DC148A7B13175D3B3C4B227E454E
SSDEEP 1536:rYT12U97+PXZEteMJivOtngr4PiWS4WafKYbkkbsFDfSIT0nJ2QC7pwAKV5KcBpX:rYT1d7wtXvOk4Pi6WGNU6ITLxKqcDX

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\mavinject.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 330000026551AE1BBD005CBFBD000000000265
  • Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\AppVDllSurrogate.exe 38
C:\Windows\system32\AppVDllSurrogate.exe 50
C:\WINDOWS\system32\AppVDllSurrogate.exe 40
C:\Windows\system32\AppVDllSurrogate.exe 49
C:\Windows\system32\AppVDllSurrogate.exe 30
C:\Windows\system32\AppVDllSurrogate.exe 52
C:\Windows\system32\AppVFileSystemMetadata.dll 29
C:\Windows\system32\AppVNice.exe 47
C:\Windows\system32\AppVNice.exe 52
C:\Windows\system32\AppVNice.exe 43
C:\Windows\system32\AppVNice.exe 38
C:\WINDOWS\system32\AppVNice.exe 29
C:\Windows\system32\AppVNice.exe 38
C:\WINDOWS\system32\AppVNice.exe 29
C:\Windows\system32\AppVShNotify.exe 36
C:\Windows\system32\AppVShNotify.exe 27
C:\Windows\system32\AppVShNotify.exe 36
C:\Windows\system32\AppVShNotify.exe 36
C:\Windows\system32\AppVStreamingUX.dll 32
C:\Windows\system32\AppVStreamMap.dll 30
C:\Windows\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 44
C:\Windows\system32\mavinject.exe 57
C:\WINDOWS\system32\mavinject.exe 40
C:\Windows\system32\mavinject.exe 35
C:\WINDOWS\system32\mavinject.exe 32
C:\Windows\system32\mavinject.exe 36

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma proc_creation_win_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.