โ
Case #560
general.NEW FILE WRITE BYTES SAMPLE GRAB
๐ท๏ธ Analyst Verdict Classification
FP by analyst๐ค AI Analysis
๐ Detections (1)
New Code Atypical Path
high
Rule: general.NEW FILE WRITE BYTES SAMPLE GRAB
Hostname: desktop-3nfb237 ยท Sensor: ed8f7c3f-3a1a-49...
Event Type: NEW_DOCUMENT
Confidence: 63% ยท Verdict: false positive
Event Data:
FILE_PATH:
C:\Windows\Temp\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\MpRecovery.exe
HASH:
317f4ff99ea5501b6d80229c9bda4d459eb942536b4e05021abf8b167295bc71
PROCESS_ID:
17988
Analyst Declaration:
๐ Raw Detection JSON
{
"author": "ckeller@fusioncybersecurity.us",
"cat": "New Code Atypical Path",
"detect": {
"event": {
"FILE_PATH": "C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpRecovery.exe",
"HASH": "317f4ff99ea5501b6d80229c9bda4d459eb942536b4e05021abf8b167295bc71",
"PROCESS_ID": 17988
},
"routing": {
"arch": 2,
"did": "",
"event_id": "2d8d37fa-23c2-4e14-8524-ae07f703fa37",
"event_time": 1774468113361,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6932,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "2e1ce33db2e54cf757ee4ab469c43c17"
}
},
"detect_id": "b739f384-e76c-4401-b68c-50ff69c43c18",
"gen_time": 1774468120293,
"link": "https://app.limacharlie.io/orgs/d3541070-8b0e-4663-8a6a-aa0727aacd36/sensors/ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136/timeline?time=1774468113\u0026selected=2e1ce33db2e54cf757ee4ab469c43c17",
"namespace": "general",
"routing": {
"arch": 2,
"did": "",
"event_id": "2d8d37fa-23c2-4e14-8524-ae07f703fa37",
"event_time": 1774468113361,
"event_type": "NEW_DOCUMENT",
"ext_ip": "23.128.32.10",
"hostname": "desktop-3nfb237",
"iid": "b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175",
"int_ip": "192.168.50.40",
"latency": 6932,
"moduleid": 2,
"oid": "d3541070-8b0e-4663-8a6a-aa0727aacd36",
"parent": "9727bc761f07cc5e5c90b93a69c43c07",
"plat": 268435456,
"sid": "ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136",
"tags": [
"fusion-soc-alert",
"fusion-soc-case",
"fusion-soc-pulled",
"fusion-soc-triage",
"fusionsoc-critical",
"fusionsoc-high",
"fusionsoc-investigated",
"qucikbooks",
"windows",
"yara_detection_memory"
],
"this": "2e1ce33db2e54cf757ee4ab469c43c17"
},
"source": "d3541070-8b0e-4663-8a6a-aa0727aacd36.b2cd59fc-d09d-49e0-a9f2-1fd79ee9c175.ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136.10000000.2",
"source_rule": "general.NEW FILE WRITE BYTES SAMPLE GRAB",
"ts": 1774468120000
}
๐ Threat Intel JSON
{
"virustotal": {
"malicious": false,
"provider": "virustotal",
"reputation": 0,
"stats": {
"confirmed-timeout": 0,
"failure": 0,
"harmless": 0,
"malicious": 0,
"suspicious": 0,
"timeout": 0,
"type-unsupported": 4,
"undetected": 72
}
}
}
๐ค Triage JSON
{
"confidence": 0.633,
"false_positive_reason": null,
"investigation_questions": [],
"ioc_analysis": "",
"iocs_extracted": [],
"mitre_techniques": [],
"recommended_actions": [
"Manual analyst review required \u2014 AI models (majority)",
"Manual review required"
],
"risk_score": 23,
"severity": "high",
"summary": "**Vote: MAJORITY (2/3 -\u003e FALSE POSITIVE)**\n\n### \ud83e\udd16 qwen3.5:4b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThis detection is a false positive because MpRecovery.exe is a legitimate Microsoft Defender process that operates in the Windows Temp directory during scanning operations. The process tree shows it spawning MpSigStub.exe with standard signatures stubbing commands, which is consistent with normal antivirus behavior.\n\n**IOC Analysis:** MpRecovery.exe is a known Microsoft Defender recovery process that runs from C:\\Windows\\Temp\\ during scans. The child process MpSigStub.exe executing signature stubbing commands confirms this is legitimate Windows Defender activity rather than malware execution.\n\n---\n\n### \ud83e\udd16 deepseek-r1:8b Analysis (Secondary + RAG)\n**Verdict:** false_positive | **Confidence:** 0.95\nThe detection event is likely a false positive as the file and process are associated with legitimate Microsoft security services, specifically Windows Defender components, and no malicious activity was detected in the investigation.\n\n**IOC Analysis:** The FILE_PATH C:\\Windows\\Temp\\3A22930E-7933-4932-A06B-DA4B7DB2FB1F\\MpRecovery.exe and its child process MpSigStub.exe are commonly used by Microsoft security tools for legitimate system operations. The hash provided does not match known malware signatures, and the process tree shows no suspicious behavior. The location in C:\\Windows\\Temp is typical for temporary files used by system processes, and the user context (NT AUTHORITY\\SYSTEM) is consistent with system-level operations.",
"verdict": "false_positive",
"voting": {
"auto_action": "manual_review",
"mode": "majority",
"total_models": 3,
"vote_summary": [
"gemini-cli: true_positive (medium, 0% confidence)",
"qwen3.5:4b +RAG: false_positive (informational, 95% confidence)",
"deepseek-r1:8b +RAG: false_positive (low, 95% confidence)"
],
"votes": [
{
"confidence": 0.0,
"model": "gemini-cli",
"verdict": "true_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "qwen3.5:4b",
"verdict": "false_positive"
},
{
"confidence": 0.95,
"had_rag": true,
"model": "deepseek-r1:8b",
"verdict": "false_positive"
}
],
"winning_count": 2,
"winning_verdict": "false_positive"
}
}
โ๏ธ Response Actions
| Action | Target | Status | Result | |
|---|---|---|---|---|
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | Process Tree Investigation: 50 events found | ||
| recommended | executed | File Activity Investigation: 0 events found | ||
| tag | executed | Tag applied | ||
| recommended | executed | General Activity Sweep: 0 events found |
๐ Add Note
๐ฌ Notes (8)
๐ค FusionSOC AI
2026-03-25T22:50
๐ค FusionSOC AI
2026-03-25T22:50
๐ค FusionSOC AI
2026-03-25T22:18
๐ค FusionSOC AI
2026-03-25T22:18
๐ค FusionSOC AI
2026-03-25T22:18
๐ค FusionSOC AI
2026-03-25T21:43
๐ค FusionSOC AI
2026-03-25T21:42
๐ค FusionSOC AI
2026-03-25T21:42
๐ Timeline
2026-03-26T14:34:17
analyst
Status changed: investigating โ closed
2026-03-26T14:34:09
analyst
Analyst classified as False Positive (FP)
2026-03-25T22:50:40
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T22:50:21
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:50:21
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T22:50:21
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T22:50:20
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T22:50:20
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:50:20
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T22:18:26
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** UNANIMOUS (3/3 โ FALSE POSITIVE) - gemini-cli: false_positive (low, 95% c...
2026-03-25T22:18:10
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:18:10
FusionSOC
Action recommended โ executed: File Activity Investigation: 0 events found
2026-03-25T22:18:10
FusionSOC AI
Note by FusionSOC AI: ## ๐ File Activity Investigation **Action:** Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude know...
2026-03-25T22:18:09
FusionSOC
Response action queued: recommended on Consider tuning the 'NEW FILE WRITE BYTES SAMPLE GRAB' rule to exclude known Microsoft Defender paths.
2026-03-25T22:18:09
FusionSOC AI
Status changed: investigating โ investigating
2026-03-25T22:18:09
FusionSOC
Action recommended โ executed: Process Tree Investigation: 50 events found
2026-03-25T22:18:09
FusionSOC AI
Note by FusionSOC AI: ## ๐ Process Tree Investigation **Action:** None required; this is a legitimate system process. **Sensor:** `ed8f7c3f-3a...
2026-03-25T22:18:07
FusionSOC
Response action queued: recommended on None required; this is a legitimate system process.
2026-03-25T22:18:07
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T22:18:07
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:43:08
FusionSOC AI
Note by FusionSOC AI: ## ๐ณ๏ธ Secondary Vote (RAG-Enhanced) **Vote:** MAJORITY (2/3 โ FALSE POSITIVE) - gemini-cli: true_positive (medium, 0% c...
2026-03-25T21:42:51
FusionSOC AI
Status changed: open โ investigating
2026-03-25T21:42:51
FusionSOC
Action recommended โ executed: General Activity Sweep: 0 events found
2026-03-25T21:42:51
FusionSOC AI
Note by FusionSOC AI: ## ๐ General Activity Sweep **Action:** Manual review required **Sensor:** `ed8f7c3f-3a1a-49...` **Time Window:** +/- 2 ...
2026-03-25T21:42:50
FusionSOC
Response action queued: recommended on Manual review required
2026-03-25T21:42:50
FusionSOC
Action tag โ executed: Tag applied
2026-03-25T21:42:50
FusionSOC
Response action queued: tag on ed8f7c3f-3a1a-493e-8fa4-35eb8c30b136:fusionsoc-investigated
2026-03-25T21:42:50
FusionSOC AI
Detection b739f384-e76c-4401-b68c-50ff69c43c18 triaged as true_positive (medium severity, confidence: 0%)
2026-03-25T21:42:50
FusionSOC AI
Case created from detection: general.NEW FILE WRITE BYTES SAMPLE GRAB