6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

[ PRINT] [ CLOSE]
Ticket Details
New Assigned Work In Progress Pending Resolved, Pending Closure Closed

Ticket Details Customer Ticket Details

Save
Service Ticket

Ticket Number: 0703631127 Status: Pending

Rating : Resolution: N/A

Created On: 06/22/22 13:48 Priority: Medium

Last Modified On: 06/22/22 13:49 Notification Status: No

Modify Notifications
File Attachments: 0files
Attach a file

Research
Issue Details

Reason for Escalation: IBM MDR detected Administrador on DESKTOP-DN1N1O0, executing NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe,
resulting in a Sensor-based ML alert.

## Alert Details
Crowdstrike Alert Name: Process NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe was detected
Crowdstrike Alert Time: Wed Jun 22 15:36:27 GMT 2022
Crowdstrike Mitigation:
- If the Prevention Policy is enabled, Crowdstrike will take the following actions:
- Process Blocked: true
- Process Quarantined: false
- Process Killed: false
- Registry Operation Blocked: false
Crowdstrike Alert Severity: 70
Crowdstrike Tactic: Machine Learning
Crowdstrike Technique: Sensor-based ML
Crowdstrike Technique ID: CST0007
Crowdstrike Alert URL: https://falcon.crowdstrike.com/activity/detections/detail/de92dd56b01e4bb0b72d8e45dbf398cb/188982360638

### Process Details

https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 1/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

Process Name: NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe

Command: "C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EXb5780.27776\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe","C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EXb5780.27776\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe"
MD5: 3ebc234c1ae295b761e5517318e5e78e
SHA256: 997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc0831845acc5811da

### Affected System and User

CID: fb799a90d58243158b75ba89c2ae092f
User Name: Administrador
Host Name: DESKTOP-DN1N1O0
Host IP: 192.168.4.32
Host OS: Windows 10
Host Group: [32f4345bb55a491487c2b9e23ca5e177, 3eeb6db7500b4789b2c21777f7a3aa4a, bfc35f8d1ae649deac4ea1920f4edb56]
Host Tags: SensorGroupingTags/DAA

## Similar Activity:
- Similar activity was not observed on other hosts.

## Analysis
CrowdStrike detected Administrador on DESKTOP-DN1N1O0, executing NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe,
triggering a Sensor-based ML alert. Executable NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe meets CrowdStrike's
machine learning-based on-sensor AV protection's high confidence threshold for malicious files. THis file was not blocked from execution. File
reputation is unknown in OSINT sources.

The activity began from a tar file downloaded from Chrome Browser and was unpacked by WinRAR.
- C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Administrador\Downloads\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.tar
The executable invoked InstallUtil.exe numerous times. These processes were blocked by the sensor.

The binary made DNS requests to two domains:

stackoverflow[.]com
cdn.discordapp[.]com

This domain 'cdn.discordapp[.]com' is suspicious since discord CDN is often a malware source.

The binary also created a registry key with Value "Oceez.exe" which established persistence. Notable is that the hash of Oceez.exe is the same as
'NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe'
NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe AKA Oceez.exe
Value name: Oceez
Value: C:\Users\Administrador\AppData\Roaming\Adfsm\Oceez.exe
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 2/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

Key: \REGISTRY\USER\S-1-5-21-2323077864-677022736-2301853390-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

CrowdStrike when hashing the file alos recorded that the binary may be associated with LogiPresentation Setup
version 1.60.33.0 by Logitech Inc.

Since the reputation is unknown, CrowdStrike has a high confidence that the file is malicious yet has observed information in the file might be
associated with 'LogiPresentation Setup', the file should be confirmed as expected

## IOCs
- 997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc0831845acc5811da
C:\Users\ADMINI~1\AppData\Local\Temp\Rar$EXb9448.17575\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe
- C:\Users\Administrador\Downloads\NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.tar

## Recommendations
- Confirm with user the origin of the IOC files and that it is expected activity.

Regards,
IBM Security Services
Security Operations Centers
Phone: (877) 563-8739 / (866) 266-4882
Intl Phone: +1 (404) 236 3290
Email: ibmsoc@us.ibm.com
Portal: https://portal.sec.ibm.com
Issue Code: SI Malicious Code Device Name: daikin_DAIKIN APAM.falcon.crowdstrike.com (daikin-oska-
jp-csp14)

Attack Name: Sensor-based ML

Source: 192.168.4.32 Destination:
Src. Port: Dest. Port:
Critical Server Src. IP: N/A Critical Server Dest. IP: IP Not Included In Critical Server List
Src Acceptable Traffic None Defined

Source IP Block Owner: Destination IP Block Owner:

SOC Actions Taken: Recommended Customer Actions:

analyzed and reported - Confirm with user the origin of the IOC files and that it is
expected activity.

https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 3/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

Raw Event Data:

{"cid":
"fb799a90d58243158b75ba89c2ae092f","created_timestamp":
"2022-06-22T15: 36: 27.365700125Z","detection_id": "ldt:
de92dd56b01e4bb0b72d8e45dbf398cb:
188982360638","device": {"device_id":
"de92dd56b01e4bb0b72d8e45dbf398cb","cid":
"fb799a90d58243158b75ba89c2ae092f","agent_load_flags":
"1","agent_local_time": "2022-06-21T18: 53:
05.704Z","agent_version": "6.37.15103.0","bios_manufacturer":
"Dell Inc.","bios_version": "A11","config_id_base":
"65994753","config_id_build": "15103","config_id_platform":
"3","external_ip": "186.31.81.156","hostname": "DESKTOP-
DN1N1O0","first_seen": "2022-06-15T12: 41: 27Z","last_seen":
"2022-06-22T15: 28: 23Z","local_ip":
"192.168.4.32","mac_address": "18-5e-0f-e1-ac-
1c","major_version": "10","minor_version": "0","os_version":
"Windows 10","platform_id": "0","platform_name":
"Windows","product_type": "1","product_type_desc":
"Workstation","status": "normal","system_manufacturer": "Dell
Inc.","system_product_name": "Latitude E5450","tags":
["SensorGroupingTags/DAA"],"groups":
["32f4345bb55a491487c2b9e23ca5e177","3eeb6db7500b4789b
"2022-06-22T15: 29: 33Z"},"behaviors": [{"device_id":
"de92dd56b01e4bb0b72d8e45dbf398cb","timestamp": "2022-
06-22T15: 35: 26Z","behavior_id": "5702","filename":
"NOTIFICACION DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe","filepath":
"\\Device\\HarddiskVolume3\\Users\\Administrador\\AppData\\Lo
DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe","alleged_filetype": "exe","cmdline": "\"C:
\\Users\\ADMINI~1\\AppData\\Local\\Temp\\Rar$EXb5780.27776
DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3.exe\"
","scenario": "NGAV","objective": "Falcon Detection
Method","tactic": "Machine Learning","tactic_id":
"CSTA0004","technique": "Sensor-based ML","technique_id":
"CST0007","display_name": "","description": "This file meets
the machine learning-based on-sensor AV protection\u0027s
high confidence threshold for malicious files.","severity":
70,"confidence": 70,"ioc_type": "hash_sha256","ioc_value":
"997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc083
https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 4/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

"library_load","ioc_description":
"\\Device\\HarddiskVolume3\\Users\\Administrador\\AppData\\Lo
DEMANDA P Y CITA 24 DE JUNIO 673-
9921331GD3.exe","user_name": "Administrador","user_id": "S-
1-5-21-2323077864-677022736-2301853390-
500","control_graph_id": "ctg:
de92dd56b01e4bb0b72d8e45dbf398cb:
188982360638","triggering_process_graph_id": "pid:
de92dd56b01e4bb0b72d8e45dbf398cb:
349780563484","sha256":
"997b0d9d9aece2543a5da12d8fe4e9c765e7a55276ca0edc083
"3ebc234c1ae295b761e5517318e5e78e","parent_details":
{"parent_sha256":
"54c441b939c9fd0ac96f3939437f0e8e259d13ab2d549f71f089f9
"40cc85ec7b1ba5b7efa8aee50715f201","parent_cmdline": "\"C:
\\Program Files\\WinRAR\\WinRAR.exe\" \"C:
\\Users\\Administrador\\Downloads\\NOTIFICACION
DEMANDA P Y CITA 24 DE JUNIO 673-9921331GD3
(1).tar\"","parent_process_graph_id": "pid:
de92dd56b01e4bb0b72d8e45dbf398cb:
349777964449"},"pattern_disposition":
2304,"pattern_disposition_details": {"indicator": false,"detect":
false,"inddet_mask": false,"sensor_only": false,"rooting":
false,"kill_process": false,"kill_subprocess":
false,"quarantine_machine": false,"quarantine_file":
false,"policy_disabled": true,"kill_parent":
false,"operation_blocked": false,"process_blocked":
true,"registry_operation_blocked":
false,"critical_process_disabled":
false,"bootup_safeguard_enabled":
false,"fs_operation_blocked":
false,"handle_operation_downgraded": false,"kill_action_failed":
false,"blocking_unsupported_or_disabled":
false,"suspend_process": false,"suspend_parent":
false}}],"email_sent": true,"first_behavior": "2022-06-22T15: 35:
26Z","last_behavior": "2022-06-22T15: 35:
26Z","max_confidence": 70,"max_severity":
70,"max_severity_display

Worklog: 2worklog entries (show all)

https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 5/6
6/23/22, 7:55 AM Ticket Details - Virtual Security Operations Center

Add a worklog entry

06/22/2022, 13:48:38 EDT: submitted by atl-prd-svcs-01d-Services

Submitted by: atl-prd-webapp-02b-SOC_Console
Portal Notification send to (1 contacts) ibm-alert@jtp.co.jp at 06.22.2022 17:48:38

Status changed to Pending

Chat Transcripts

Contact Name Start Time End Time

No items match your request.

https://portal.sec.ibm.com/mss/ticket/securityTicketUpdate.mss?ticketId=SOCP00703631127 6/6