ttdinject.exe
- File Path:
C:\WINDOWS\SysWOW64\ttdinject.exe
- Description: Time Traver Debugging Application Injector
Hashes
| Type |
Hash |
| MD5 |
C67E321DF3C854C94AB7CB5FCC6F0626 |
| SHA1 |
0A0471E64324F34A348A6E737A5F684614CA575C |
| SHA256 |
F0A44D3C9EBC66E484E113088A9082F8939EDAD691F36C21BE85CBFD994D1D99 |
| SHA384 |
6925BD8AE64553D09F6CF2846482A4AEC0212DD6E6E8AD98B5C2DF1175428CF8FE44F10A695A46DCA550626ADB6BE68B |
| SHA512 |
A2D6825E90D8FEE2BD0DDFB9273A6C3A44825DA8966546D2B383F5A7195E0095CD2CDB3D4829CF10E425667C2F80C0A0C5FDCCA4E8D2054182B62959C647C696 |
| SSDEEP |
6144:Pg0AzmAEoMXdXuNBgimzCsr08stSYy+EgSLC9:PyHEowdIyzjr05SYyzzC9 |
| IMP |
294C30F07BD18071315CF9C16B25BF24 |
| PESHA1 |
4BB8A61E29EB42C50B87B7A55F1F4FB2A0B6A4F4 |
| PE256 |
BD0A2225E15CC8DE197AA60D4C6EF13E35FC8D76175FBF02C6A7182512C6C798 |
Runtime Data
Usage (stdout):
Microsoft (R) TTDInject Launcher 1.01.07
Release: 10.0.22000.1
Copyright (C) Microsoft Corporation. All rights reserved.
Usage (stderr):
���!!! Unexpected string 'help' after 'C:\WINDOWS\SysWOW64\ttdinject.exe'
Loaded Modules:
| Path |
| C:\WINDOWS\SYSTEM32\ntdll.dll |
| C:\WINDOWS\System32\wow64.dll |
| C:\WINDOWS\System32\wow64base.dll |
| C:\WINDOWS\System32\wow64con.dll |
| C:\WINDOWS\System32\wow64cpu.dll |
| C:\WINDOWS\System32\wow64win.dll |
| C:\WINDOWS\SysWOW64\ttdinject.exe |
Signature
- Status: Signature verified.
- Serial:
33000002ED2C45E4C145CF48440000000002ED
- Thumbprint:
312860D2047EB81F8F58C29FF19ECDB4C634CF6A
- Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
- Original Filename: TTDInject.EXE
- Product Name: Microsoft Windows Operating System
- Company Name: Microsoft Corporation
- File Version: 10.0.22000.1 (WinBuild.160101.0800)
- Product Version: 10.0.22000.1
- Language: English (United States)
- Legal Copyright: Microsoft Corporation. All rights reserved.
- Machine Type: 32-bit
File Scan
- VirusTotal Detections: 0/73
- VirusTotal Link: https://www.virustotal.com/gui/file/f0a44d3c9ebc66e484e113088a9082f8939edad691f36c21be85cbfd994d1d99/detection
Possible Misuse
The following table contains possible examples of ttdinject.exe being misused. While ttdinject.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.
| Source |
Source File |
Example |
License |
| LOLBAS |
Ttdinject.yml |
Name: Ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- Command: TTDInject.exe /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /Launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Ttdinject.yml |
Description: Execute calc using ttdinject.exe. Requires administrator privileges. A log file will be created in tmp.run. The log file can be changed, but the length (7) has to be updated. |
|
| LOLBAS |
Ttdinject.yml |
- Command: ttdinject.exe /ClientScenario TTDRecorder /ddload 0 /ClientParams "7 tmp.run 0 0 0 0 0 0 0 0 0 0" /launch "C:/Windows/System32/calc.exe" |
|
| LOLBAS |
Ttdinject.yml |
- Path: C:\Windows\System32\ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- Path: C:\Windows\Syswow64\ttdinject.exe |
|
| LOLBAS |
Ttdinject.yml |
- IOC: Parent child relationship. Ttdinject.exe parent for executed command |
|
| LOLBAS |
Ttdinject.yml |
- IOC: Multiple queries made to the IFEO registry key of an untrusted executable (Ex. "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\payload.exe") from the ttdinject.exe process |
|
MIT License. Copyright (c) 2020-2021 Strontic.