tttracer.exe

  • File Path: C:\Windows\SysWOW64\tttracer.exe
  • Description: Time Travel Tracing Tracer Tool

Hashes

Type Hash
MD5 D6972207EACDB8AC6526A0624BD4FCF5
SHA1 EE8324C6932F1A52A74CA6B62DB0D19BD5E78211
SHA256 F501B18D8270CE7802E724C84D1EBA5C5D77ADB9113739605FB45E302EDF9C4C
SHA384 5C2AA92C40DAB06E2D0F5F25D08250BFEF78CF4ECA71774DA85EA202D97F74278E1CDC6B14615245C2E015B63ABB120C
SHA512 B9289CED19CEB996E8B6CD987FC12F725F2A9E74EF68207368FCD6030AAE793B2FAB17BD0B72E04875C866DD2A3C7CDC646815E12B70FD808524370D7A40A872
SSDEEP 3072:NqmrA6A5XVO/DNT/J7rnOoXAlXZ3ptkeuOwinfX9EJTJx4VniXOFZ9nkTvcx8MxB:AmrR0XVOhTBNwv3XkOYJHlOFZpevcx88
IMP 1399989C3CE962B011C51F54F5BD96A1
PESHA1 280067D88E2855B202458003BF509F861172D5AF
PE256 CB0C6ADBC8EB0F5F6F715C5346FFDCDD0EA26B1B950A5DB3F631510ADAFB2B37

Runtime Data

Usage (stdout):

We have created EULA.TXT in the current folder. 
Please review this file before agreeing.
Have you read and do you accept the EULA? Y/N

Child Processes:

conhost.exe

Open Handles:

Path Type
(RW-) C:\Users\user File
(RW-) C:\Windows File
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000004.db Section
\BaseNamedObjects\C:*ProgramData*Microsoft*Windows*Caches*cversions.2.ro Section
\BaseNamedObjects\NLS_CodePage_1252_3_2_0_0 Section
\BaseNamedObjects\NLS_CodePage_437_3_2_0_0 Section

Loaded Modules:

Path
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\wow64.dll
C:\Windows\System32\wow64cpu.dll
C:\Windows\System32\wow64win.dll
C:\Windows\SysWOW64\tttracer.exe

Signature

  • Status: Signature verified.
  • Serial: 3300000266BD1580EFA75CD6D3000000000266
  • Thumbprint: A4341B9FD50FB9964283220A36A1EF6F6FAA7840
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: TTTracer.exe
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.17763.1 (WinBuild.160101.0800)
  • Product Version: 10.0.17763.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 32-bit

File Scan

  • VirusTotal Detections: 0/70
  • VirusTotal Link: https://www.virustotal.com/gui/file/f501b18d8270ce7802e724c84d1eba5c5d77adb9113739605fb45e302edf9c4c/detection/

Possible Misuse

The following table contains possible examples of tttracer.exe being misused. While tttracer.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma image_load_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma image_load_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml description: Detects usage of Time Travel Debugging Utility. Adversaries can execute malicious processes and dump processes, such as lsass.exe, via tttracer.exe. DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml - https://lolbas-project.github.io/lolbas/Binaries/Tttracer/ DRL 1.0
sigma proc_creation_win_tttracer_mod_load.yml ParentImage\|endswith: '\tttracer.exe' DRL 1.0
LOLBAS Ttdinject.yml Description: Used by Windows 1809 and newer to Debug Time Travel (Underlying call of tttracer.exe)  
LOLBAS Tttracer.yml Name: Tttracer.exe  
LOLBAS Tttracer.yml - Command: tttracer.exe C:\windows\system32\calc.exe  
LOLBAS Tttracer.yml Description: Execute calc using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Command: TTTracer.exe -dumpFull -attach pid  
LOLBAS Tttracer.yml Description: Dumps process using tttracer.exe. Requires administrator privileges  
LOLBAS Tttracer.yml - Path: C:\Windows\System32\tttracer.exe  
LOLBAS Tttracer.yml - Path: C:\Windows\SysWOW64\tttracer.exe  
LOLBAS Tttracer.yml - IOC: Parent child relationship. Tttracer parent for executed command  

MIT License. Copyright (c) 2020-2021 Strontic.