mavinject.exe

File Path: C:\Windows\system32\mavinject.exe
Description: Microsoft Application Virtualization Injector

Hashes

Type	Hash
MD5	`72D5E2A3FF5D88C891E0DF1AA28B6422`
SHA1	`3627AD593F3A956FA07382914B52AAB5CE98C817`
SHA256	`ABB99F7CFD3E9EB294501AAFA082A8D4841278CC39A4FB3DFF9942CA1F71A139`
SHA384	`F27A10016B162488E08BFED343C61EA346962F78E977120A97206418F81175AF0B93EA5242AD78A22F6F748F83D8F8BA`
SHA512	`B043F3BDF67CA9097E2B0188BC3CB1F7EAECEB3BE027DDFBF636F873366D53F075B3FC7D5BDEED79622C5D9BFC1033354637DC148A7B13175D3B3C4B227E454E`
SSDEEP	`1536:rYT12U97+PXZEteMJivOtngr4PiWS4WafKYbkkbsFDfSIT0nJ2QC7pwAKV5KcBpX:rYT1d7wtXvOk4Pi6WGNU6ITLxKqcDX`

Runtime Data

Loaded Modules:

Path
C:\Windows\system32\mavinject.exe
C:\Windows\SYSTEM32\ntdll.dll

Signature

Status: Signature verified.
Serial: 330000026551AE1BBD005CBFBD000000000265
Thumbprint: E168609353F30FF2373157B4EB8CD519D07A2BFF
Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

Original Filename: mavinject64.exe
Product Name: Microsoft Windows Operating System
Company Name: Microsoft Corporation
File Version: 10.0.17763.1 (WinBuild.160101.0800)
Product Version: 10.0.17763.1
Language: English (United States)
Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File	Score
C:\WINDOWS\system32\AppVDllSurrogate.exe	38
C:\Windows\system32\AppVDllSurrogate.exe	50
C:\WINDOWS\system32\AppVDllSurrogate.exe	40
C:\Windows\system32\AppVDllSurrogate.exe	49
C:\Windows\system32\AppVDllSurrogate.exe	30
C:\Windows\system32\AppVDllSurrogate.exe	52
C:\Windows\system32\AppVFileSystemMetadata.dll	29
C:\Windows\system32\AppVNice.exe	47
C:\Windows\system32\AppVNice.exe	52
C:\Windows\system32\AppVNice.exe	43
C:\Windows\system32\AppVNice.exe	38
C:\WINDOWS\system32\AppVNice.exe	29
C:\Windows\system32\AppVNice.exe	38
C:\WINDOWS\system32\AppVNice.exe	29
C:\Windows\system32\AppVShNotify.exe	36
C:\Windows\system32\AppVShNotify.exe	27
C:\Windows\system32\AppVShNotify.exe	36
C:\Windows\system32\AppVShNotify.exe	36
C:\Windows\system32\AppVStreamingUX.dll	32
C:\Windows\system32\AppVStreamMap.dll	30
C:\Windows\system32\mavinject.exe	41
C:\Windows\system32\mavinject.exe	44
C:\Windows\system32\mavinject.exe	57
C:\WINDOWS\system32\mavinject.exe	40
C:\Windows\system32\mavinject.exe	35
C:\WINDOWS\system32\mavinject.exe	32
C:\Windows\system32\mavinject.exe	36

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source	Source File	Example	License
sigma	proc_creation_win_creation_mavinject_dll.yml	`title: Mavinject Inject DLL Into Running Process`	DRL 1.0
sigma	proc_creation_win_creation_mavinject_dll.yml	`OriginalFileName\\|contains: mavinject`	DRL 1.0
sigma	proc_creation_win_mavinject_proc_inj.yml	`title: MavInject Process Injection`	DRL 1.0
sigma	proc_creation_win_mavinject_proc_inj.yml	`- https://reaqta.com/2017/12/mavinject-microsoft-injector/`	DRL 1.0
LOLBAS	Mavinject.yml	`Name: Mavinject.exe`
LOLBAS	Mavinject.yml	`- Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll`
LOLBAS	Mavinject.yml	`- Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"`
LOLBAS	Mavinject.yml	`- Path: C:\Windows\System32\mavinject.exe`
LOLBAS	Mavinject.yml	`- Path: C:\Windows\SysWOW64\mavinject.exe`
LOLBAS	Mavinject.yml	`- IOC: mavinject.exe should not run unless APP-v is in use on the workstation`
atomic-red-team	index.md	- Atomic Test #1: Process Injection via mavinject.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	index.md	- Atomic Test #1: mavinject - Inject DLL into running process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: Process Injection via mavinject.exe [windows]	MIT License. © 2018 Red Canary
atomic-red-team	windows-index.md	- Atomic Test #1: mavinject - Inject DLL into running process [windows]	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	- Atomic Test #1 - Process Injection via mavinject.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	## Atomic Test #1 - Process Injection via mavinject.exe	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll.	MIT License. © 2018 Red Canary
atomic-red-team	T1055.001.md	mavinject $mypid /INJECTRUNNING #{dll_payload}	MIT License. © 2018 Red Canary
atomic-red-team	T1056.004.md	mavinject $pid /INJECTRUNNING #{file_name}	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	- Atomic Test #1 - mavinject - Inject DLL into running process	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	## Atomic Test #1 - mavinject - Inject DLL into running process	MIT License. © 2018 Red Canary
atomic-red-team	T1218.md	mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload}	MIT License. © 2018 Red Canary
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`name: Signed Binary Execution - Mavinject`	Apache-2.0
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`description: Leverage Mavinject (signed binary) for DLL injection`	Apache-2.0
stockpile	e5bcefee-262d-4568-a261-e8a20855ec81.yml	`mavinject.exe $explorer.id C:\Users\Public\sandcat.dll`	Apache-2.0