tttracer.exe

  • File Path: C:\WINDOWS\system32\tttracer.exe
  • Description: Time Travel Debugging Tracer Tool

Hashes

Type Hash
MD5 7A5725DA28274C3109BDEBD22B012855
SHA1 A16AF707EDF92B82EE1A027DBDAF3914A253D431
SHA256 369E7975815009216B360DA3D4FE674AD629EF3062253028202B9986E2BCE8C7
SHA384 F56CB356C310C53BC6578649E5E9702D7F643C266834515EE5EAB2A5E4FDCA329DBFD10F5F1C5A74BBD2360A322EC25D
SHA512 022DC80D186A1ED4C5B932DA16D3809482C16FF9EB34AD10FF9CA17414E5FF36AD8F5D0AA56FA705B75A6812C81294F1F43497CBCD132AB26A26AEF8A6F5E0B9
SSDEEP 1536:NeA0pRIZvTBAZJ/4fcqirHM+vmD+M1thIJdt6jXn4uXS6tpsuczJe8s4TIeFPX/0:c7pOAPIcqqsEmD+BLyS6YukTH0
IMP D280B8D23E790922A5FFB0971EDF42A3
PESHA1 054EE0E79DC97F8981688E947BBEFA78B478F219
PE256 A5270313C54B482A3F39DA5EC48C791747DB9367B780F3CD6794D56B296E27D6

Runtime Data

Usage (stdout):

MICROSOFT TIME TRAVEL DEBUGGING (TTD)

Time Travel Debugging (TTD) command line utility is not meant for use in custom software or
automation. TTD is included with this version of Windows to improve diagnostics gathering and is not
intended for direct use as a stand-alone solution.

DISCLAIMER OF WARRANTY. THE SOFTWARE IS LICENSED "AS IS." YOU BEAR THE RISK OF USING IT. MICROSOFT
GIVES NO EXPRESS WARRANTIES, GUARANTEES, OR CONDITIONS. TO THE EXTENT PERMITTED UNDER APPLICABLE LAWS,
MICROSOFT EXCLUDES ALL IMPLIED WARRANTIES, INCLUDING MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE,
AND NON-INFRINGEMENT.

1. DATA COLLECTION. The software may collect information about you and your use of the software and send
   that to Microsoft. Microsoft may use this information to provide services and improve Microsoft's
   products and services. Your opt-out rights, if any, are described in the product documentation. Some
   features in the software may enable collection of data from users of your applications that access or
   use the software. If you use these features to enable data collection in your applications, you must
   comply with applicable law, including getting any required user consent, and maintain a prominent
   privacy policy that accurately informs users about how you use, collect, and share their data. You can
   learn more about Microsoft's data collection and use in the product documentation and the Microsoft
   Privacy Statement at https://go.microsoft.com/fwlink/?LinkId=521839. You agree to comply with all
   applicable provisions of the Microsoft Privacy Statement.

2. SCOPE OF LICENSE. The software is licensed, not sold. Microsoft reserves all other rights. Unless
   applicable law gives you more rights despite this limitation, you will not (and have no right to):
    a) work around any technical limitations in the software that only allow you to use it in certain ways;
    b) reverse engineer, decompile or disassemble the software;
    c) remove, minimize, block, or modify any notices of Microsoft or its suppliers in the software;
    d) use the software for commercial, non-profit, or revenue-generating activities;
    e) use the software in any way that is against the law or to create or propagate malware; or
    f) share, publish, distribute, or lend the software, provide the software as a stand-alone hosted
       solution for others to use, or transfer the software or this agreement to any third party.

3. SUPPORT SERVICES. Microsoft is not obligated under this agreement to provide any support services
   for the software. Any support provided is "as is", "with all faults", and without warranty of any kind.


Usage (stderr):

Error:  Unrecognized command line option '--help' (Error Code 0x80070057:  The parameter is incorrect.)

Loaded Modules:

Path
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\tttracer.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TTTracer.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/369e7975815009216b360da3d4fe674ad629ef3062253028202b9986e2bce8c7/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\tttracer.exe 36
C:\Windows\system32\tttracer.exe 32
C:\Windows\SysWOW64\tttracer.exe 35
C:\Windows\SysWOW64\tttracer.exe 32
C:\WINDOWS\SysWOW64\tttracer.exe 35

Possible Misuse

The following table contains possible examples of tttracer.exe being misused. While tttracer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma image_load_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml ParentImage\|endswith: '\tttracer.exe' DRL 1.0
LOLBAS Ttdinject.yml Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)  
LOLBAS Tttracer.yml Name: Tttracer.exe  
LOLBAS Tttracer.yml - Command: tttracer.exe C:\windows\system32\calc.exe  
LOLBAS Tttracer.yml Description: Execute calc using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Command: TTTracer.exe -dumpFull -attach pid  
LOLBAS Tttracer.yml Description: Dumps process using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Path: C:\Windows\System32\tttracer.exe  
LOLBAS Tttracer.yml - Path: C:\Windows\SysWOW64\tttracer.exe  
LOLBAS Tttracer.yml - IOC: Parent child relationship. Tttracer parent for executed command  

MIT License. Copyright (c) 2020-2021 Strontic.