mavinject.exe

  • File Path: C:\Windows\SysWOW64\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 CB3E03CBECB798CE4254E1D17716C623
SHA1 3AA7EFE5F35150EF44AD9DB0690AF0FABFD80983
SHA256 784BBC33E7DB4BB5B680BD22EA330B094884A639CD156ADA576A45DC85F92174
SHA384 D5A3CCAD06F419A1400F87355C85C36BE74E8701633F21A87B61C85A81EFAF9BB96AD4E2675AB6C5B44690D0F09F5B3C
SHA512 60359D5281F41FF2383992AB5B3728D352D8C4E5460B08CC878B54C37E5B7B34843E18C5905D958063016317C55296F1C3F3A5C35354B56B4C08203EC6628D3B
SSDEEP 1536:J7xsb7M5mTGDRbNubo7yfkgG6W4fXSoDEnAkbGwCL5AQcGjAnmtphoYccIivRhWt:xr5mmt0fSoD7RcG1phR/vGDNhLcRX8dt
IMP AB78DC0C35824E888F988515C11197D6
PESHA1 85D761758F52A58214E2FC3555DDF5D4083916CF
PE256 47325FE0FDFCD287FD8114CB19812DCB2A9FBA5707BE35495FB05E2587B07A31

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject32.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1518 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1518
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: Unknown

File Similarity (ssdeep match)

File Score
C:\Program Files (x86)\Microsoft Office\root\Client\AppVDllSurrogate32.exe 35
C:\Windows\SysWOW64\mavinject.exe 38
C:\Windows\SysWOW64\mavinject.exe 32
C:\WINDOWS\SysWOW64\mavinject.exe 44
C:\Windows\SysWOW64\mavinject.exe 68
C:\Windows\SysWOW64\mavinject.exe 32

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.