ttdinject.exe
- File Path:
C:\WINDOWS\system32\ttdinject.exe
- Description: Time Traver Debugging Application Injector
Hashes
| Type |
Hash |
| MD5 |
2E692065475369F87D3F220E93B89710 |
| SHA1 |
090AE097636E75B5B06573BD9FEC714EC6F0544A |
| SHA256 |
C7A9ED79040CAE7A53B278B80A4234B95C36505A1999280B75E5A24B4259B025 |
| SHA384 |
CCFF5C474E265C2AFFC1ECDCBCC1EAC09B0EAF72A3793F6E1984B8CA7B69ABAB5F47E27C43480B02A36E91C5170076C1 |
| SHA512 |
6F2A9857E2B33ECCB9C42D775485FB9B1C41CB30A450DACB7DA028B98EFC01824CAC02CD2893DBF444DC44E43AEFEA279CCF5BC6CA8E059C2709FD91A5FC3522 |
| SSDEEP |
6144:5HhoOIfeN76KvpAkBJF7Am0bYZHU3xEy407lsgiuKgNjKlEh9:BhoOIfeFvpAkBgmjHU3xEO7JMgN2mh |
| IMP |
A0F502C21B244290AA72CBF568F0B558 |
| PESHA1 |
9F6C4B2D2401CC026496C2172EB38AB7D00C3237 |
| PE256 |
B37CDE4E2271557A6D572B2452C07EA9F312536E50DFD63A3ED16DE5FC96F0CC |
Runtime Data
Usage (stdout):
Microsoft (R) TTDInject Launcher 1.01.07
Release: 10.0.22000.1
Copyright (C) Microsoft Corporation. All rights reserved.
Usage (stderr):
���!!! Unexpected string 'help' after 'C:\WINDOWS\system32\ttdinject.exe'
Loaded Modules:
| Path |
| C:\WINDOWS\System32\KERNEL32.DLL |
| C:\WINDOWS\System32\KERNELBASE.dll |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\system32\ttdinject.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED
- Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: TTDInject.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 64-bit
File Scan
- VirusTotal Detections: 0/72
- VirusTotal Link: https://www.virustotal.com/gui/file/c7a9ed79040cae7a53b278b80a4234b95c36505a1999280b75e5a24b4259b025/detection
Possible Misuse
The following table contains possible examples of ttdinject.exe being misused. While ttdinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source |
Source File |
Example |
License |
| LOLBAS |
Ttdinject.yml |
Name: Ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Ttdinject.yml |
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. |
|
| LOLBAS |
Ttdinject.yml |
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Ttdinject.yml |
- Path: C:\Windows\System32\ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- Path: C:\Windows\Syswow64\ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- IOC: Parent child relationship. Ttdinject.exe parent for executed command |
|
| LOLBAS |
Ttdinject.yml |
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process |
|
MIT License. Copyright (c) 2020-2021 Strontic.