mavinject.exe

  • File Path: C:\Windows\system32\mavinject.exe
  • Description: Microsoft Application Virtualization Injector

Hashes

Type Hash
MD5 E354F3D93A7639FCE4D649874766D624
SHA1 93B00ADC9B3871635ABC9C6AFE483E83782582CD
SHA256 930272DA382ACCB872CD2F4BE045BEAAC493CD1A896786E4FB4B42F30E1D9A32
SHA384 EEE0E4350BFF277013FC6224109C0388642E15F3F42D2BB3715A15FEA370A0B55FE32D6B53E2AC19F0CED08FDB01A73F
SHA512 C7CA5EF25972A31243DE688B8C599B3B77DC9E34A84F466B8C9CC0828DF9436780E091FD45CAF8122BCD247C48902D606C00CFD5375CC6A2A489B80912FFA3A4
SSDEEP 3072:5V9WX1D4iekQ5fG0SltWQWGNU6ITL2VprwXhw:X9tiXAItTWGNU6ITL2/Ww
IMP 429058796B83BC005DB1F177F77554BC
PESHA1 D1FC943C8F25039E7936C287DB5C0F5C6D073536
PE256 C025C2E9369E8CD13151CE20F58C7C24BE05F1F28FCA97DEE8285E06060F74E2

Runtime Data

Loaded Modules:

Path
C:\Windows\System32\ADVAPI32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\IMM32.DLL
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\system32\mavinject.exe
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\System32\sechost.dll
C:\Windows\System32\SHELL32.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: mavinject64.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.572 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.572
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/75
  • VirusTotal Link: https://www.virustotal.com/gui/file/930272da382accb872cd2f4be045beaac493cd1a896786e4fb4b42f30e1d9a32/detection

File Similarity (ssdeep match)

File Score
C:\WINDOWS\system32\AppVDllSurrogate.exe 35
C:\Windows\system32\AppVDllSurrogate.exe 32
C:\WINDOWS\system32\AppVDllSurrogate.exe 47
C:\Windows\system32\AppVDllSurrogate.exe 30
C:\Windows\system32\AppVDllSurrogate.exe 36
C:\Windows\system32\AppVDllSurrogate.exe 33
C:\Windows\system32\AppVFileSystemMetadata.dll 58
C:\Windows\system32\AppVManifest.dll 33
C:\Windows\system32\AppVNice.exe 36
C:\Windows\system32\AppVNice.exe 46
C:\Windows\system32\AppVNice.exe 49
C:\WINDOWS\system32\AppVNice.exe 44
C:\Windows\system32\AppVNice.exe 43
C:\WINDOWS\system32\AppVNice.exe 40
C:\Windows\system32\AppVScripting.dll 30
C:\Windows\system32\AppVShNotify.exe 38
C:\Windows\system32\AppVShNotify.exe 40
C:\Windows\system32\AppVShNotify.exe 43
C:\WINDOWS\system32\AppVShNotify.exe 33
C:\WINDOWS\system32\AppVShNotify.exe 41
C:\Windows\system32\AppVShNotify.exe 43
C:\Windows\system32\AppVStreamingUX.dll 38
C:\Windows\system32\AppVStreamMap.dll 35
C:\Windows\system32\mavinject.exe 33
C:\Windows\system32\mavinject.exe 36
C:\Windows\system32\mavinject.exe 54
C:\Windows\system32\mavinject.exe 36
C:\WINDOWS\system32\mavinject.exe 43
C:\Windows\system32\mavinject.exe 85
C:\WINDOWS\system32\mavinject.exe 41

Possible Misuse

The following table contains possible examples of mavinject.exe being misused. While mavinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_creation_mavinject_dll.yml title: Mavinject Inject DLL Into Running Process DRL 1.0
sigma proc_creation_win_creation_mavinject_dll.yml OriginalFileName\|contains: mavinject DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml title: MavInject Process Injection DRL 1.0
sigma proc_creation_win_mavinject_proc_inj.yml - https://reaqta.com/2017/12/mavinject-microsoft-injector/ DRL 1.0
LOLBAS Mavinject.yml Name: Mavinject.exe  
LOLBAS Mavinject.yml - Command: MavInject.exe 3110 /INJECTRUNNING c:\folder\evil.dll  
LOLBAS Mavinject.yml - Command: Mavinject.exe 4172 /INJECTRUNNING "c:\ads\file.txt:file.dll"  
LOLBAS Mavinject.yml - Path: C:\Windows\System32\mavinject.exe  
LOLBAS Mavinject.yml - Path: C:\Windows\SysWOW64\mavinject.exe  
LOLBAS Mavinject.yml - IOC: mavinject.exe should not run unless APP-v is in use on the workstation  
atomic-red-team index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: Process Injection via mavinject.exe [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #1: mavinject - Inject DLL into running process [windows] MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md - Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md ## Atomic Test #1 - Process Injection via mavinject.exe MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md Upon successful execution, powershell.exe will download T1055.dll to disk. Powershell will then spawn mavinject.exe to perform process injection in T1055.dll. MIT License. © 2018 Red Canary
atomic-red-team T1055.001.md mavinject $mypid /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
atomic-red-team T1056.004.md mavinject $pid /INJECTRUNNING #{file_name} MIT License. © 2018 Red Canary
atomic-red-team T1218.md - Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md ## Atomic Test #1 - mavinject - Inject DLL into running process MIT License. © 2018 Red Canary
atomic-red-team T1218.md mavinject.exe #{process_id} /INJECTRUNNING #{dll_payload} MIT License. © 2018 Red Canary
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml name: Signed Binary Execution - Mavinject Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml description: Leverage Mavinject (signed binary) for DLL injection Apache-2.0
stockpile e5bcefee-262d-4568-a261-e8a20855ec81.yml mavinject.exe $explorer.id C:\Users\Public\sandcat.dll Apache-2.0

MIT License. Copyright (c) 2020-2021 Strontic.