mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 73E25B03C4DF5277BAF67004D53FC241
SHA1 E486E7F49173DC2A98B90485BDC378952DBA91CB
SHA256 1C1A5BF6BC7EC24C67F2A13E5C8EB71C927927545F8EB7A75F1A4EA893604C38
SHA384 2064ECC639B4C7E90C1077F743F8DA4D516A65951973F1A3C424DF766BA3B8F9130BC1AADF8EC54E05B866CCD473345B
SHA512 3DAAFA6ECF338B6DC466626FC28C4A3D61464C0D43BA831721A15E7D0C1B0613A7568881D21707105B7F7DE70B45A613B40B888A8147F71C05815DD41B463DBC
SSDEEP 3072:gWVGVpG7Ykw0khibT4PiFWGNU6ITL2pj+9wW:Z5Mk9JTuiFWGNU6ITL2pg
IMP 429058796B83BC005DB1F177F77554BC
PESHA1 F975FD6653993E1776EA858282F71BA7E0D93CD0
PE256 E59700530BEA3705299EE8C9529038EF213AE30B96D9F7976CE28AF7766EBC08

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\mavinject.exe
C:\Windows\System32\msvcp_win.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/1c1a5bf6bc7ec24c67f2a13e5c8eb71c927927545f8eb7a75f1a4ea893604c38/detection/

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\AppVDllSurrogate.exe 35
C:\Windows\system32\AppVDllSurrogate.exe 29
C:\WINDOWS\system32\AppVDllSurrogate.exe 43
C:\Windows\system32\AppVDllSurrogate.exe 33
C:\Windows\system32\AppVDllSurrogate.exe 41
C:\Windows\system32\AppVDllSurrogate.exe 27
C:\Windows\system32\AppVFileSystemMetadata.dll 44
C:\Windows\system32\AppVManifest.dll 33
C:\Windows\system32\AppVNice.exe 38
C:\Windows\system32\AppVNice.exe 41
C:\Windows\system32\AppVNice.exe 40
C:\WINDOWS\system32\AppVNice.exe 44
C:\Windows\system32\AppVNice.exe 47
C:\WINDOWS\system32\AppVNice.exe 40
C:\Windows\system32\AppVScripting.dll 30
C:\Windows\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVShNotify.exe 40
C:\Windows\system32\AppVShNotify.exe 43
C:\WINDOWS\system32\AppVShNotify.exe 33
C:\WINDOWS\system32\AppVShNotify.exe 41
C:\Windows\system32\AppVShNotify.exe 40
C:\Windows\system32\AppVStreamingUX.dll 43
C:\Windows\system32\AppVStreamMap.dll 38
C:\Windows\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 44
C:\Windows\system32\mavinject.exe 36
C:\WINDOWS\system32\mavinject.exe 43
C:\Windows\system32\mavinject.exe 55
C:\WINDOWS\system32\mavinject.exe 44
C:\Windows\system32\mavinject.exe 54

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma proc_creation_win_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.