mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 AEB0A9377147392D401D172089C371D3
SHA1 271C4553E3C852551E2982032092319D6183B1CA
SHA256 59F8E38B825D4C2D00D7384639B77C4083DF30956E9F197F83D37C933BB7091E
SHA384 C9FFEB1008B3AC2873DDB753E1D1B914AE5C40A7FB62D428A172A9B4525AD1955748AE3B09BA559EE4C53C2C1FA73265
SHA512 11E01A275534BEA4BCB552B63C9FD2FA39E8EFC24D440175B9B5E54D5008F7E7CF6AB05F2DC30A07E085E8A9BFB4451CA901B795CF280A9B42EBFF222222055A
SSDEEP 3072:FV9WX1D4iekQ5fG0SltWQWGNU6ITL2U1BFwB:D9tiXAItTWGNU6ITL2UG
IMP 429058796B83BC005DB1F177F77554BC
PESHA1 A45369DDF5684833184AE8019314BFA101672911
PE256 9A59FE503D76D0FBD16CFE2F09146FF199712EEC5B9064D0F188A239365C1F00

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\mavinject.exe
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1202 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1202
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/59f8e38b825d4c2d00d7384639b77c4083df30956e9f197f83d37c933bb7091e/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\AppVDllSurrogate.exe 41
C:\Windows\system32\AppVDllSurrogate.exe 32
C:\WINDOWS\system32\AppVDllSurrogate.exe 44
C:\Windows\system32\AppVDllSurrogate.exe 30
C:\Windows\system32\AppVDllSurrogate.exe 38
C:\Windows\system32\AppVDllSurrogate.exe 33
C:\Windows\system32\AppVFileSystemMetadata.dll 55
C:\Windows\system32\AppVManifest.dll 33
C:\Windows\system32\AppVNice.exe 38
C:\Windows\system32\AppVNice.exe 47
C:\Windows\system32\AppVNice.exe 46
C:\WINDOWS\system32\AppVNice.exe 50
C:\Windows\system32\AppVNice.exe 43
C:\WINDOWS\system32\AppVNice.exe 46
C:\Windows\system32\AppVScripting.dll 36
C:\Windows\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVShNotify.exe 41
C:\Windows\system32\AppVShNotify.exe 36
C:\WINDOWS\system32\AppVShNotify.exe 38
C:\WINDOWS\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVShNotify.exe 36
C:\Windows\system32\AppVStreamingUX.dll 38
C:\Windows\system32\AppVStreamMap.dll 33
C:\Windows\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 35
C:\Windows\system32\mavinject.exe 55
C:\Windows\system32\mavinject.exe 40
C:\WINDOWS\system32\mavinject.exe 47
C:\WINDOWS\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 85

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma sysmon_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.