Professional Documents
Culture Documents
IBM Ticket Details - DESKTOP-D1N1O0
IBM Ticket Details - DESKTOP-D1N1O0
[ PRINT] [ CLOSE]
Ticket Details
New Assigned Work In Progress Pending Resolved, Pending Closure Closed
Save
Service Ticket
Research
Issue Details
Reason for Escalation: IBM MDR detected Administrador on DESKTOP-DN1N1O0, executing NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe,
resulting in a Sensor-based ML alert.
## Alert Details
Crowdstrike Alert Name: Process NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe was detected
Crowdstrike Alert Time: Wed Jun 22 15:36:27 GMT 2022
Crowdstrike Mitigation:
- If the Prevention Policy is enabled, Crowdstrike will take the following actions:
- Process Blocked: true
- Process Quarantined: false
- Process Killed: false
- Registry Operation Blocked: false
Crowdstrike Alert Severity: 70
Crowdstrike Tactic: Machine Learning
Crowdstrike Technique: Sensor-based ML
Crowdstrike Technique ID: CST0007
Crowdstrike Alert URL: https://falcon.crowdstrike.com/activity/detections/detail/de92dd56b01e4bb0b72d8e45dbf398cb/188982360638
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 1/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center
## Similar Activity:
- Similar activity was not observed on other hosts.
## Analysis
CrowdStrike detected Administrador on DESKTOP-DN1N1O0, executing NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe,
triggering a Sensor-based ML alert. Executable NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe meets CrowdStrike's
machine learning-based on-sensor AV protection's high confidence threshold for malicious files. THis file was not blocked from execution. File
reputation is unknown in OSINT sources.
The activity began from a tar file downloaded from Chrome Browser and was unpacked by WinRAR.
- C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Administrador\Downloads\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.tar
The executable invoked InstallUtil.exe numerous times. These processes were blocked by the sensor.
This domain 'cdn.discordapp[.]com' is suspicious since discord CDN is often a malware source.
The binary also created a registry key with Value "Oceez.exe" which established persistence. Notable is that the hash of Oceez.exe is the same as
'NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe'
NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe AKA Oceez.exe
Value name: Oceez
Value: C:\Users\Administrador\AppData\Roaming\Adfsm\Oceez.exe
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 2/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center
Key: \REGISTRY\USER\S-1-5-21-2323077864-677022736-2301853390-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
CrowdStrike when hashing the file alos recorded that the binary may be associated with LogiPresentation Setup
version 1.60.33.0 by Logitech Inc.
Since the reputation is unknown, CrowdStrike has a high confidence that the file is malicious yet has observed information in the file might be
associated with 'LogiPresentation Setup', the file should be confirmed as expected
## IOCs
- 997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc0831845acc5811da
C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EXb9448.17575\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe
- C:\Users\Administrador\Downloads\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.tar
## Recommendations
- Confirm with user the origin of the IOC files and that it is expected activity.
Regards,
IBM Security Services
Security Operations Centers
Phone: (877) 563-8739 / (866) 266-4882
Intl Phone: +1 (404) 236 3290
Email: ibmsoc@us.ibm.com
Portal: https://portal.sec.ibm.com
Issue Code: SI Malicious Code Device Name: daikin_DAIKIN APAM.falcon.crowdstrike.com (daikin-oska-
jp-csp14)
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 3/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center
"library_load","ioc_description":
"\\Device\\HarddiskVolume3\\Users\\Administrador\\AppData\\Lo
DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe","user_name": "Administrador","user_id": "S-
1-5-21-2323077864-677022736-2301853390-
500","control_graph_id": "ctg:
de92dd56b01e4bb0b72d8e45dbf398cb:
188982360638","triggering_process_graph_id": "pid:
de92dd56b01e4bb0b72d8e45dbf398cb:
349780563484","sha256":
"997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc083
"3ebc234c1ae295b761e5517318e5e78e","parent_details":
{"parent_sha256":
"54c441b939c9fd0ac96f3939437f0e8e259d13ab2d549f71f089f9
"40cc85ec7b1ba5b7efa8aee50715f201","parent_cmdline": "\"C:
\\Program Files\\WinRAR\\WinRAR.exe\" \"C:
\\Users\\Administrador\\Downloads\\NOTIFICACION
DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3
(1).tar\"","parent_process_graph_id": "pid:
de92dd56b01e4bb0b72d8e45dbf398cb:
349777964449"},"pattern_disposition":
2304,"pattern_disposition_details": {"indicator": false,"detect":
false,"inddet_mask": false,"sensor_only": false,"rooting":
false,"kill_process": false,"kill_subprocess":
false,"quarantine_machine": false,"quarantine_file":
false,"policy_disabled": true,"kill_parent":
false,"operation_blocked": false,"process_blocked":
true,"registry_operation_blocked":
false,"critical_process_disabled":
false,"bootup_safeguard_enabled":
false,"fs_operation_blocked":
false,"handle_operation_downgraded": false,"kill_action_failed":
false,"blocking_unsupported_or_disabled":
false,"suspend_process": false,"suspend_parent":
false}}],"email_sent": true,"first_behavior": "2022-06-22T15: 35:
26Z","last_behavior": "2022-06-22T15: 35:
26Z","max_confidence": 70,"max_severity":
70,"max_severity_display
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 5/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center
Chat Transcripts
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 6/6