mavinject.exe

  • File Path: C:\WINDOWS\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 80EAEBA49FFD53712F4304A442C95F0D
SHA1 1847CE5831ACAECF84DD3E28A0EE6BF6FB98E343
SHA256 926B54D54DEC971022BD18F97AB970D4533B34A1CEF9C65DCA1B696C1119CD90
SHA384 BB0C4F372DB5D87300D9D4DAEFCAB72234FB7811928B1940754EEB31699517345458B1793DC046FA2794945A21F77B5D
SHA512 530FB4C73C8F3F85823301A68339E3653CC8F98411861938D544859D2B3BDE2155B44F2BFF1266792483E1E8A125E3969734BE5FA172A8B709132AFC05C5A51B
SSDEEP 3072:s0/7kEjgqJcKsiUsZWGNU6ITLxd7YYU8Q:s0/18YcKsidWGNU6ITLxdUH

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

File Similarity (ssdeep match)

File Score
C:\Windows\system32\AppVDllSurrogate.exe 40
C:\WINDOWS\system32\AppVDllSurrogate.exe 41
C:\Windows\system32\AppVDllSurrogate.exe 44
C:\Windows\system32\AppVDllSurrogate.exe 35
C:\Windows\system32\AppVFileSystemMetadata.dll 38
C:\Windows\system32\AppVManifest.dll 38
C:\Windows\system32\AppVNice.exe 44
C:\Windows\system32\AppVNice.exe 43
C:\Windows\system32\AppVNice.exe 36
C:\WINDOWS\system32\AppVNice.exe 38
C:\Windows\system32\AppVScripting.dll 35
C:\Windows\system32\AppVShNotify.exe 43
C:\Windows\system32\AppVShNotify.exe 44
C:\WINDOWS\system32\AppVShNotify.exe 29
C:\Windows\system32\AppVShNotify.exe 44
C:\Windows\system32\AppVStreamingUX.dll 44
C:\Windows\system32\AppVStreamMap.dll 36
C:\Windows\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 40
C:\Windows\system32\mavinject.exe 43
C:\Windows\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 43

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.