โ
Case #458
service.windows_process_creation/proc_creation_win_expand_cabinet_files
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
Potentially Suspicious Cabinet File Expansion
high
Rule: service.windows_process_creation/proc_creation_win_expand_cabinet_files
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_PROCESS
Confidence: 95% ยท Verdict: false positive
Event Data:
BASE_ADDRESS:
12648448
COMMAND_LINE:
"C:\WINDOWS\SysWOW64\expand.exe" -r -F:* "C:\ProgramData\Dell\SupportAssist\TechnicianToolkit\SupportFiles.cab" "C:\ProgramData\Dell\SupportAssist\TechnicianToolkit\Library"
FILE_IS_SIGNED:
1
FILE_PATH:
C:\WINDOWS\SysWOW64\expand.exe
HASH:
dfc1709a2988301f7a9d145fb107793e3299ecc85f4b9702523939e35573ab85
MEMORY_USAGE:
8044544
PARENT:
{'BASE_ADDRESS': 9633792, 'COMMAND_LINE': '"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe" "en" "C:\\ProgramData\\Dell\\SupportAssist\\Agent\\Certificate\\SRE\\e231b57f-d97f-475d-bd70-e5b839232e92.pfx" "127.0.0.1:10528" "5ce2f89a-f6dd-497e-a5d6-38e955aaf176" "false"', 'FILE_IS_SIGNED': 1, 'FILE_PATH': 'C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe', 'HASH': '4209038199a68a376fc84137887a18bbeb149f54ad610645f2d585c44a569f31', 'MEMORY_USAGE': 4648960, 'PARENT_ATOM': '7a1843f3f92f80d78b404bd469bb9681', 'PARENT_PROCESS_ID': 12556, 'PROCESS_ID': 9256, 'THIS_ATOM': '6b4a9782c9cf20e12a85883e69bb96e1', 'THREADS': 4, 'TIMESTAMP': 1773901536063, 'USER_NAME': 'NT AUTHORITY\\SYSTEM'}
PARENT_PROCESS_ID:
9256
PROCESS_ID:
12716
THREADS:
1
USER_NAME:
NT AUTHORITY\SYSTEM
IOCs:
{'type': 'file_path', 'value': 'C:\\WINDOWS\\SysWOW64\\expand.exe'}
{'type': 'hash', 'value': 'dfc1709a2988301f7a9d145fb107793e3299ecc85f4b9702523939e35573ab85'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "_ext-sigma-7a14fbc3-54d9-4b4d-8700-61eddada04f0[bulk][segment]",
"cat": "Potentially Suspicious Cabinet File Expansion",
"detect": {
"event": {
"BASE_ADDRESS": 12648448,
"COMMAND_LINE": "\"C:\\WINDOWS\\SysWOW64\\expand.exe\" -r -F:* \"C:\\ProgramData\\Dell\\SupportAssist\\TechnicianToolkit\\SupportFiles.cab\" \"C:\\ProgramData\\Dell\\SupportAssist\\TechnicianToolkit\\Library\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\WINDOWS\\SysWOW64\\expand.exe",
"HASH": "dfc1709a2988301f7a9d145fb107793e3299ecc85f4b9702523939e35573ab85",
"MEMORY_USAGE": 8044544,
"PARENT": {
"BASE_ADDRESS": 9633792,
"COMMAND_LINE": "\"C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe\" \"en\" \"C:\\ProgramData\\Dell\\SupportAssist\\Agent\\Certificate\\SRE\\e231b57f-d97f-475d-bd70-e5b839232e92.pfx\" \"127.0.0.1:10528\" \"5ce2f89a-f6dd-497e-a5d6-38e955aaf176\" \"false\"",
"FILE_IS_SIGNED": 1,
"FILE_PATH": "C:\\Program Files\\Dell\\SupportAssistAgent\\SRE\\SRE.exe",
"HASH": "4209038199a68a376fc84137887a18bbeb149f54ad610645f2d585c44a569f31",
"MEMORY_USAGE": 4648960,
"PARENT_ATOM": "7a1843f3f92f80d78b404bd469bb9681",
"PARENT_PROCESS_ID": 12556,
"PROCESS_ID": 9256,
"THIS_ATOM": "6b4a9782c9cf20e12a85883e69bb96e1",
"THREADS": 4,
"TIMESTAMP": 1773901536063,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"PARENT_PROCESS_ID": 9256,
"PROCESS_ID": 12716,
"THREADS": 1,
"USER_NAME": "NT AUTHORITY\\SYSTEM"
},
"routing": {
"arch": 2,
"did": "",
"event_id": "0f8d5ad9-069c-4906-be19-8ce916df17a5",
"event_time": 1773901731173,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": -26,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "6b4a9782c9cf20e12a85883e69bb96e1",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "d9033654546fec6a8bb9bec969bb97a3"
}
},
"detect_id": "02055686-9bed-4e80-8b97-502f69bb97a3",
"detect_mtd": {
"author": "Bhabesh Raj, X__Junior (Nextron Systems)",
"description": "Detects the expansion or decompression of cabinet files from potentially suspicious or uncommon locations, e.g. seen in Iranian MeteorExpress related attacks",
"falsepositives": [
"System administrator Usage"
],
"level": "medium",
"references": [
"https://labs.sentinelone.com/meteorexpress-mysterious-wiper-paralyzes-iranian-trains-with-epic-troll",
"https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/"
],
"tags": [
"attack.defense-evasion",
"attack.t1218"
]
},
"gen_time": 1773901731148,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1773901731\u0026selected=d9033654546fec6a8bb9bec969bb97a3",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "0f8d5ad9-069c-4906-be19-8ce916df17a5",
"event_time": 1773901731173,
"event_type": "NEW_PROCESS",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": -26,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "6b4a9782c9cf20e12a85883e69bb96e1",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "d9033654546fec6a8bb9bec969bb97a3"
},
"rule_tags": [
"ext:ext-sigma",
"attack.defense-evasion",
"attack.t1218"
],
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "service.windows_process_creation/proc_creation_win_expand_cabinet_files",
"ts": 1773901731000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": -11,
"stats": {
"confirmed-timeout": 0,
"failure": 7,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 2,
"type-unsupported": 4,
"undetected": 63
}
}
}
๐ค Triage JSON
{
"confidence": 0.95,
"false_positive_reason": "expand.exe is a legitimate Microsoft system utility running from expected location, signed by Microsoft, and invoked by authorized vendor support agent (SRE.exe) under SYSTEM context. Historical analyst feedback confirms this pattern consistently generates false positives.",
"investigation_questions": [
"Is Dell SupportAssist installed and authorized on this endpoint?",
"Has the SYSTEM user account been granted administrative privileges for vendor maintenance?"
],
"ioc_analysis": "expand.exe is a known Microsoft-signed utility located in C:\\WINDOWS\\SysWOW64\\, which matches expected system binary locations. The process is signed (FILE_IS_SIGNED: 1) and spawned by SRE.exe, a legitimate Dell SupportAssist agent component. The command line shows standard cabinet file expansion behavior for vendor support tools.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\WINDOWS\\SysWOW64\\expand.exe"
},
{
"type": "hash",
"value": "dfc1709a2988301f7a9d145fb107793e3299ecc85f4b9702523939e35573ab85"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Log as informational event only",
"No immediate containment required",
"Verify vendor support tools are authorized on this host"
],
"risk_score": 10,
"severity": "high",
"summary": "**Vote: MAJORITY (1/1 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection flagged a legitimate Windows system binary (expand.exe) running from its expected SysWOW64 directory to expand a Dell SupportAssist cabinet file under SYSTEM privileges. Historical analyst feedback consistently marks this rule as a false positive for legitimate vendor maintenance tools.\n\n**IOC Analysis:** expand.exe is a known Microsoft-signed utility located in C:\\WINDOWS\\SysWOW64\\, which matches expected system binary locations. The process is signed (FILE_IS_SIGNED: 1) and spawned by SRE.exe, a legitimate Dell SupportAssist agent component. The command line shows standard cabinet file expansion behavior for vendor support tools.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\nFailed or timed out.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 1,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 95% confidence)"
],
"votes": [
{
"confidence": 0.95,
"model": "qwen3.5:4b",
"verdict": "false_positive"
}
],
"winning_count": 1,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (8)
๐ค FusionSOC AI
2026-03-23T04:20
๐ค FusionSOC AI
2026-03-23T04:20
๐ค FusionSOC AI
2026-03-23T04:20
๐ค FusionSOC AI
2026-03-23T04:20
๐ค FusionSOC AI
2026-03-23T04:15
๐ค FusionSOC AI
2026-03-23T04:15
๐ค FusionSOC AI
2026-03-23T04:15
๐ค FusionSOC AI
2026-03-23T04:15
๐ Timeline
2026-03-23T14:29:32
analyst
Status changed: investigating โ closed
2026-03-23T14:29:28
analyst
Analyst classified as False Positive (FP)
2026-03-23T04:20:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:20:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:20:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Verify vendor support tools are authorized on this host **Sensor:** `ed8f7c3f-3a...
2026-03-23T04:20:50
FusionSOC
Response action queued: recommended on Verify vendor support tools are authorized on this host
2026-03-23T04:20:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:20:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:20:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** No immediate containment required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Windo...
2026-03-23T04:20:50
FusionSOC
Response action queued: recommended on No immediate containment required
2026-03-23T04:20:50
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:20:50
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:20:50
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Log as informational event only **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:...
2026-03-23T04:20:49
FusionSOC
Response action queued: recommended on Log as informational event only
2026-03-23T04:20:49
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:20:49
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:20:49
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual analyst review required โ AI models (majority) **Sensor:** `ed8f7c3f-3a1a...
2026-03-23T04:20:49
FusionSOC
Response action queued: recommended on Manual analyst review required โ AI models (majority)
2026-03-23T04:20:49
FusionSOC
Action tag โ executed: Tag applied
2026-03-23T04:20:49
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-23T04:15:12
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:15:12
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-23T04:15:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Consider tuning the detection rule to exclude expand.exe when the parent pro...
2026-03-23T04:15:12
FusionSOC
Response action queued: recommended on Consider tuning the detection rule to exclude expand.exe when the parent process is a signed Dell SupportAssist binary
2026-03-23T04:15:12
FusionSOC AI
Status changed: investigating โ investigating
2026-03-23T04:15:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:15:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close this alert as a false positive **Sensor:** `ed8f7c3f-3a1a-49...` **Time Wi...
2026-03-23T04:15:12
FusionSOC
Response action queued: recommended on Close this alert as a false positive
2026-03-23T04:15:12
FusionSOC AI
Status changed: open โ investigating
2026-03-23T04:15:12
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-23T04:15:12
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `ed8f7c3f-3a1a-4...
2026-03-23T04:15:11
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-23T04:15:11
FusionSOC
Action tag โ executed: Tag applied
2026-03-23T04:15:11
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-23T04:15:11
FusionSOC AI
Detection 02055686-9bed-4e80-8b97-502f69bb97a3 triaged as false_positive (low severity, confidence: 96%)
2026-03-23T04:15:11
FusionSOC AI
Case created from detection: service.windows_process_creation/proc_creation_win_expand_cabinet_files