โ
Case #516
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
low
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-atsepsk ยท Sensor: 8f3a47be-5629-4c...
Event Type: NEW_DOCUMENT
Confidence: 80% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Users\Joy Howell\AppData\Local\Temp\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\ISBEW64.exe
HASH:
8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9
PROCESS_ID:
44412
IOCs:
{'type': 'file_path', 'value': 'C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe'}
{'type': 'hash', 'value': '8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9'}
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe",
"HASH": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9",
"PROCESS_ID": 44412
},
"routing": {
"arch": 2,
"did": "",
"event_id": "199fd9e6-9c63-40c1-b506-960a9c0712de",
"event_time": 1774364675187,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 692,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "eb8e247eb509e0dacc5b9a9169c2a803"
}
},
"detect_id": "611e8d33-7b93-4cb9-b17e-5b8e69c2a803",
"gen_time": 1774364675879,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/8f3a47be-5629-4c66-921d-17c39ed07e87/timeline?time=1774364675\u0026selected=eb8e247eb509e0dacc5b9a9169c2a803",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "199fd9e6-9c63-40c1-b506-960a9c0712de",
"event_time": 1774364675187,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-atsepsk",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.200",
"latency": 692,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "8666c9b4a7dc808d1fd77db969c2a699",
"plat": 268435456,
"sid": "8f3a47be-5629-4c66-921d-17c39ed07e87",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"joys",
"windows",
"yara_detection_disk",
"yara_detection_memory"
],
"this": "eb8e247eb509e0dacc5b9a9169c2a803"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.8f3a47be-5629-4c66-921d-17c39ed07e87.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774364675000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.8,
"false_positive_reason": "Historical analyst feedback consistently marks this rule type as false positives for legitimate system activity in temporary directories",
"investigation_questions": [
"What application triggered the creation of ISBEW64.exe?",
"Is there a scheduled task or service associated with this file?",
"Has this hash been seen in previous benign detections?"
],
"ioc_analysis": "The file ISBEW64.exe is located in the AppData\\Local\\Temp directory, which is commonly used by legitimate applications and Windows Update processes. The process tree shows no parent PID or command line, suggesting it may be a background service or scheduled task rather than malicious execution.",
"iocs_extracted": [
{
"type": "file_path",
"value": "C:\\Users\\Joy Howell\\AppData\\Local\\Temp\\{329D9E41-01C7-421B-9FF8-CABD9C10EE56}\\ISBEW64.exe"
},
{
"type": "hash",
"value": "8023e720f5a4b859e7ba5390037d4a08d7962d0a5af41c182806d403ea80fda9"
}
],
"mitre_techniques": [],
"recommended_actions": [
"Close case as false positive (unanimous AI verdict)",
"Monitor the file for persistence or execution",
"Verify if this is a legitimate Windows Update or system maintenance process",
"Check if the hash matches known Microsoft binaries"
],
"risk_score": 15,
"severity": "low",
"summary": "**Vote: UNANIMOUS (2/2 -\u003e FALSE POSITIVE)**\n\n### \u264a gemini-cli Analysis (Primary)\nFailed or timed out.\n\n---\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.9\nThe detection flagged a new file write to a temporary directory as suspicious, but historical analyst feedback consistently marks this rule type as false positives for legitimate system activity.\n\n**IOC Analysis:** The file ISBEW64.exe is located in the AppData\\Local\\Temp directory, which is commonly used by legitimate applications and Windows Update processes. The process tree shows no parent PID or command line, suggesting it may be a background service or scheduled task rather than malicious execution.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary)\n**Verdict:** false_positive | **Confidence:** 0.7\nThe detection event involves a new file write in the user\u0027s Temp directory, which is common for legitimate processes but can be exploited by malware. However, given the historical false positive rate for this rule and the lack of additional malicious indicators, it is likely benign.\n\n**IOC Analysis:** The FILE_PATH is located in C:\\Users\\Joy Howell\\AppData\\Local\\Temp, which is typical for temporary files and can be legitimate. The HASH is provided but not verified against known malware databases. The file name ISBEW64.exe does not match standard Windows binaries, but the context suggests it may be a false positive due to the detection rule\u0027s history.",
"verdict": "false_positive",
"voting": {
"auto_action": "auto_close_fp",
"mode": "unanimous",
"total_models": 2,
"vote_summary": [
"qwen3.5:4b: false_positive (low, 90% confidence)",
"deepseek-r1:8b: false_positive (low, 70% confidence)"
],
"votes": [
{
"confidence": 0.9,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.7,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| recommended | executed | Persistence Check: 0 events found | ||
| recommended | executed | Process Tree Investigation: 0 events found | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (5)
๐ค FusionSOC AI
2026-03-24T17:05
๐ค FusionSOC AI
2026-03-24T17:05
๐ค FusionSOC AI
2026-03-24T17:05
๐ค FusionSOC AI
2026-03-24T17:05
๐ค FusionSOC AI
2026-03-24T17:05
๐ Timeline
2026-03-24T17:23:31
analyst
Status changed: investigating โ closed
2026-03-24T17:23:22
analyst
Analyst classified as False Positive (FP)
2026-03-24T17:05:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:05:17
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:05:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Check if the hash matches known Microsoft binaries **Sensor:** `8f3a47be-5629-4c...
2026-03-24T17:05:17
FusionSOC
Response action queued: recommended on Check if the hash matches known Microsoft binaries
2026-03-24T17:05:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:05:17
FusionSOC
Action recommended โ executed: Process Tree Investigation: 0 events found
2026-03-24T17:05:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** Verify if this is a legitimate Windows Update or system maintenance process ...
2026-03-24T17:05:17
FusionSOC
Response action queued: recommended on Verify if this is a legitimate Windows Update or system maintenance process
2026-03-24T17:05:17
FusionSOC AI
Status changed: investigating โ investigating
2026-03-24T17:05:17
FusionSOC
Action recommended โ executed: Persistence Check: 0 events found
2026-03-24T17:05:17
FusionSOC AI
Note by FusionSOC AI: ## ๐ Persistence Check **Action:** Monitor the file for persistence or execution **Sensor:** `8f3a47be-5629-4c...` **Tim...
2026-03-24T17:05:16
FusionSOC
Response action queued: recommended on Monitor the file for persistence or execution
2026-03-24T17:05:16
FusionSOC AI
Status changed: open โ investigating
2026-03-24T17:05:16
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-24T17:05:16
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Close case as false positive (unanimous AI verdict) **Sensor:** `8f3a47be-5629-4...
2026-03-24T17:05:16
FusionSOC
Response action queued: recommended on Close case as false positive (unanimous AI verdict)
2026-03-24T17:05:16
FusionSOC
Action tag โ executed: Tag applied
2026-03-24T17:05:16
FusionSOC
Response action queued: tag on 8f3a47be-5629-4c66-921d-17c39ed07e87:fusionsoc-investigated
2026-03-24T17:05:16
FusionSOC AI
Detection 611e8d33-7b93-4cb9-b17e-5b8e69c2a803 triaged as false_positive (low severity, confidence: 80%)
2026-03-24T17:05:16
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB