mavinject.exe

  • File Path: C:\WINDOWS\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 CB272877A7CDD93C57BDFFE95981932B
SHA1 6D86D5885DA4D3F03CB35D168492D33DC53BBE3D
SHA256 3A645FFDEFF126B43D641BB2A6121909F01018C7BA709B2F5E4880143457E55D
SHA384 436882BD3FD2CE025F346742AD9A6760B28DF6E366A369A21540EE72838170093616155F9FB06B931E92537F28C57EF1
SHA512 597B3D40B90DE5675DEB6A3A54E514AF5B7157DD1EF9597E1BDEC6656E25D39A14CCA002D6D50471D789697466DF59E5092C7F549461C76A5B17E5A984B9BFFE
SSDEEP 3072:Gk3cCQ+76YPpjLDMo/FJmcWGNU6ITLui/wF:GwcCD7PVMo/FJjWGNU6ITLuiW
IMP DCDD0A1B4E87EE2E235253DF5FA5EA2E
PESHA1 4A303CCEA031C1ACBFCBE664B6AAFBF66F7EFC96
PE256 2451162363CBB6993069124A8A7B3D3F2088D570D941177194957753558EC466

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\system32\mavinject.exe
C:\WINDOWS\SYSTEM32\ntdll.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/72
  • VirusTotal Link: https://www.virustotal.com/gui/file/3a645ffdeff126b43d641bb2a6121909f01018c7ba709b2f5e4880143457e55d/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\AppVDllSurrogate.exe 44
C:\Windows\system32\AppVDllSurrogate.exe 32
C:\WINDOWS\system32\AppVDllSurrogate.exe 35
C:\Windows\system32\AppVDllSurrogate.exe 30
C:\Windows\system32\AppVDllSurrogate.exe 43
C:\Windows\system32\AppVDllSurrogate.exe 32
C:\Windows\system32\AppVFileSystemMetadata.dll 41
C:\Windows\system32\AppVManifest.dll 32
C:\Windows\system32\AppVNice.exe 32
C:\Windows\system32\AppVNice.exe 43
C:\Windows\system32\AppVNice.exe 41
C:\WINDOWS\system32\AppVNice.exe 41
C:\Windows\system32\AppVNice.exe 38
C:\WINDOWS\system32\AppVNice.exe 36
C:\Windows\system32\AppVScripting.dll 35
C:\Windows\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVShNotify.exe 33
C:\Windows\system32\AppVShNotify.exe 40
C:\WINDOWS\system32\AppVShNotify.exe 38
C:\WINDOWS\system32\AppVShNotify.exe 46
C:\Windows\system32\AppVShNotify.exe 43
C:\Windows\system32\AppVStreamingUX.dll 43
C:\Windows\system32\AppVStreamMap.dll 38
C:\Windows\system32\mavinject.exe 35
C:\Windows\system32\mavinject.exe 32
C:\Windows\system32\mavinject.exe 44
C:\Windows\system32\mavinject.exe 38
C:\WINDOWS\system32\mavinject.exe 38
C:\Windows\system32\mavinject.exe 41
C:\Windows\system32\mavinject.exe 41

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma sysmon_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma sysmon_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.