mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 750E7456BAA3820527FFA4653EF5A516
SHA1 5C075FF3AE849CF093341C96765C00D28657E15D
SHA256 BEF978F32A3E9582CDB86770509925CB9DDC797C7F6A2055AB2702C6D57302D9
SHA384 BD6317FE9DA276180A7750629A95F0BF31C03B749F556848F05FFE725E7E20331F298092E7D211434BDDC9B4A71116CD
SHA512 2B26EAEF5E64D7F31A64C693CEC83BE53BB84693F160E319C66BEC1E55C4F234A2CA357F8654563ED58F7BC84A4303D07A1D335D017A7645E8B774B65B4171E4
SSDEEP 1536:riYolfN/elJ5yb+UXgBzabn9r4PiW/cWafKYbkkbsFDfSIT0nJ2QC7pwAAZw1ltZ:riYo3/MdWgA54PifWGNU6ITLxb1LiyZ
IMP 96A5873241D90136570C05E55F0B5B2A
PESHA1 BB427119E0E2EF5B3B06666AA361BD370674E9F7
PE256 985A3AE6188D452E5146F42E6B9A3E852A3AC299F8B7929A762FEC94F33663FB

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1518 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1518
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Windows\system32\AppVDllSurrogate.exe 50
C:\WINDOWS\system32\AppVDllSurrogate.exe 38
C:\Windows\system32\AppVDllSurrogate.exe 33
C:\Windows\system32\AppVDllSurrogate.exe 50
C:\Windows\system32\AppVFileSystemMetadata.dll 30
C:\Windows\system32\AppVNice.exe 52
C:\Windows\system32\AppVNice.exe 29
C:\Windows\system32\AppVNice.exe 32
C:\Windows\system32\AppVNice.exe 32
C:\WINDOWS\system32\AppVNice.exe 44
C:\Windows\system32\AppVShNotify.exe 27
C:\Windows\system32\AppVShNotify.exe 33
C:\Windows\system32\AppVShNotify.exe 33
C:\Windows\system32\AppVStreamingUX.dll 32
C:\Windows\system32\AppVStreamMap.dll 32
C:\Windows\system32\mavinject.exe 25
C:\Windows\system32\mavinject.exe 57
C:\Windows\system32\mavinject.exe 36
C:\WINDOWS\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 36

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.