ttdinject.exe

  • File Path: C:\WINDOWS\system32\ttdinject.exe
  • Description: Time Traver Debugger Application Launcher

Hashes

Type Hash
MD5 2657170157072EDDCE03B847091B4C27
SHA1 E9E08208203DFD5412CF4E1F2EDCC86B14FD68CF
SHA256 B0F5D68DD83EB5BBCE0D9BC331568EA5240B289D1DCD44D26F743FAFA0D84BDC
SHA384 99F539677D37A9F287F92DA25212AD55681A639F777F263F2B214E32FEDA0C169C2FDBAD43BAB641F2EE34F737D8BFDB
SHA512 098C87C81DF9022844B9E64900E43D7351356F271D057285E7EF61B6025F222C084D591DF46C1A2E244916E7A546212F118073535FAADDD246277FF0E7A16D7F
SSDEEP 6144:1M7bb0wvLDMVmhEJ3XCI2cMRXCS2Qvak5k9L2B6FxISBffS4phKJkuT2FB:1M7L8tA4YJB6FxLfS4iJ7CL

Signature

  • Status: Signature verified.
  • Serial: 330000023241FB59996DCC4DFF000000000232
  • Thumbprint: FF82BC38E1DA5E596DF374C53E3617F7EDA36B06
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TTDInject.EXE
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.18362.1 (WinBuild.160101.0800)
  • Product Version: 10.0.18362.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.

Possible Misuse

The following table contains possible examples of ttdinject.exe being misused. While ttdinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
LOLBAS Ttdinject.yml Name: Ttdinject.exe  
LOLBAS Ttdinject.yml - Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe"  
LOLBAS Ttdinject.yml Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated.  
LOLBAS Ttdinject.yml - Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe"  
LOLBAS Ttdinject.yml - Path: C:\Windows\System32\ttdinject.exe  
LOLBAS Ttdinject.yml - Path: C:\Windows\Syswow64\ttdinject.exe  
LOLBAS Ttdinject.yml - IOC: Parent child relationship. Ttdinject.exe parent for executed command  
LOLBAS Ttdinject.yml - IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process  

MIT License. Copyright (c) 2020-2021 Strontic.