โ
Case #480
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_DOCUMENT
Confidence: 85% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Users\Joy Howell\AppData\Local\Temp\dbfhide.exe
HASH:
9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b
PROCESS_ID:
31932
IOCs:
C:\Users\Joy Howell\AppData\Local\Temp\dbfhide.exe
9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\dbfhide.exe",
"HASH": "9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b",
"PROCESS_ID": 31932
},
"routing": {
"arch": 2,
"did": "",
"event_id": "204d5211-c83c-4177-90f9-59d08d72a442",
"event_time": 1774364274304,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1254,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "d8a052ff2b229311d9ee8fb969c2a673"
}
},
"detect_id": "bd502161-8403-4c75-891b-b71769c2a673",
"gen_time": 1774364275558,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364274\u0026selected=d8a052ff2b229311d9ee8fb969c2a673",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "204d5211-c83c-4177-90f9-59d08d72a442",
"event_time": 1774364274304,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 1254,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "0e2be6b24c56dfa0613f286f69c2a672",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "d8a052ff2b229311d9ee8fb969c2a673"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774364275000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": true,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 1,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 71
}
}
}
๐ค Triage JSON
{
"confidence": 0.85,
"false_positive_reason": "Historical analyst feedback consistently indicates false positive for this rule type; Temp directory is standard location for legitimate temporary executables",
"investigation_questions": [
"What application created this temporary file?",
"Is there a scheduled task or service that generates temp files?",
"Has this file been modified recently by legitimate software?"
],
"ioc_analysis": "The file path C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\dbfhide.exe is in a common temporary directory where legitimate applications store temporary executables. Without additional context showing malicious behavior or unexpected parent processes, this appears to be benign system activity.",
"iocs_extracted": [
"C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\dbfhide.exe",
"9a20e7b77d89b7804e98fdcbe80cebb5beb7a9594a4b94e6543fb05377bb4d8b"
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Monitor for persistence mechanisms",
"Review process tree for suspicious parent processes",
"Check file hash against known-good databases"
],
"risk_score": 18,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a new file write to the Temp directory, but historical analyst feedback consistently marks this rule as false positive for legitimate system activity. The process is located in AppData\\Local\\Temp, which is a standard location for temporary files and executables.\n\n**IOC Analysis:** The file path C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\dbfhide.exe is in a common temporary directory where legitimate applications store temporary executables. Without additional context showing malicious behavior or unexpected parent processes, this appears to be benign system activity.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.8\nA new file was detected in the AppData\\Local\\Temp directory, which is commonly used by legitimate software but can be exploited by malware. However, given the high false positive rate for this detection rule and the lack of additional malicious indicators, it is likely a false positive.\n\n**IOC Analysis:** The file path C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\dbfhide.exe is not located in expected directories for known system binaries, such as C:\\Windows\\System32\\ or C:\\Program Files\\. The hash is provided but not verified against known malware databases, so no definitive maliciousness can be confirmed. The detection rule has a history of false positives, supporting a benign conclusion.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 80% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.8,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found | ||
| recommended | executed | Process Tree Investigation: 45 events found | ||
| recommended | executed | File Activity Investigation: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T15:05
๐ค FusionSOC AI
2026-03-24T15:05
๐ค FusionSOC AI
2026-03-24T15:05
๐ค FusionSOC AI
2026-03-24T15:05
๐ค FusionSOC AI
2026-03-24T15:05
๐ Timeline
2026-03-24T15:06:37
analyst
Status changed: investigating โ closed
2026-03-24T15:06:31
analyst
Analyst classified as False Positive (FP)
2026-03-24T15:05:26
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:05:26
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-24T15:05:26
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Check file hash against known-good databases **Sensor:** `8f3a47be-5629-4c....
2026-03-24T15:05:24
FusionSOC
Response action queued: recommended on Check file hash against known-good databases
2026-03-24T15:05:24
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:05:24
FusionSOC
Action recommended โ executed: Process Tree Investigation: 45 events found
2026-03-24T15:05:24
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Review process tree for suspicious parent processes **Sensor:** `8f3a47be-56...
2026-03-24T15:05:23
FusionSOC
Response action queued: recommended on Review process tree for suspicious parent processes
2026-03-24T15:05:23
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T15:05:23
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T15:05:23
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Monitor for persistence mechanisms **Sensor:** `8f3a47be-5629-4c...` **Time Window:**...
2026-03-24T15:05:21
FusionSOC
Response action queued: recommended on Monitor for persistence mechanisms
2026-03-24T15:05:21
FusionSOC AI
Status changed: open โ investigating
2026-03-24T15:05:21
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T15:05:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T15:05:21
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T15:05:21
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T15:05:21
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T15:05:21
FusionSOC AI
Detection bd502161-8403-4c75-891b-b71769c2a673 triaged as false_positive (low severity, confidence: 85%)
2026-03-24T15:05:21
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB