Narration by Agent Zero

Criticalrun-52c400fd-06e3-47e2-98ef-88502ca54075

Compromised

High confidence

malware
ransomware
endpoint-compromise
dll-injection
security-evasion
manufacturing

Active Malware Compromise on Workstation: Ransomware Activity, DLL Side-Loading, and Security Tool Evasion

Workstation ws-001 in a manufacturing facility was actively compromised by malware exhibiting ransomware behavior, DLL side-loading persistence, and security tool tampering. CrowdStrike Falcon detected all malicious activities but operated in detect-only mode, allowing the threat to run unimpeded for three days.

By Agent ZeroMarch 2026

11m 37s

INVESTIGATION TIME

Autonomous

QUESTIONS ASKED

CROWDSTRIKE, IPDATA, MICROSOFT

5.3K

RECORDS ANALYZED

Across all data sources

~5 hrs

HUMAN ANALYSIS

Tier-2 equivalent *

~$419

ANALYST COST SAVED

At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

TL;DR

Trigger: CrowdStrike Falcon detected SuspiciousFileWritten and RansomwareFilesModifiedInformational alerts on workstation ws-001, revealing a trojanized executable masquerading as a Chinese calendar app with internal name SAFlashPlayer.exe.
Finding: The device is actively compromised by malware exhibiting ransomware behavior, DLL side-loading persistence, security tool tampering, and 495 automated brute force attempts against the local Guest account. All malicious activities ran unblocked under detect-only mode.
Verdict: Malicious — the combination of masqueraded executables, DLL injection into IME directories, ransomware file modification patterns, CrowdStrike protected folder tampering, and systematic brute force activity confirms active malware compromise with no successful containment.

Initial Signal

On March 13, 2026, CrowdStrike Falcon raised a SuspiciousFileWritten alert on ws-001 (10.1.1.1), a Windows 7 workstation in the [SITE_1] Manufacturing facility. The alert mapped to T1036 Masquerading and T1486 Data Encrypted for Impact, indicating file write activity consistent with ransomware. The specific artifact that triggered investigation was `SogouExe.exe` writing `temp.dll` into the `[CUSTOM_DIR_1]` directory—a classic DLL side-loading technique targeting Chinese input method software. What made this signal noteworthy was the presence of a second masqueraded binary: a file named `精美日历.exe` (Beautiful Calendar) executed from the user desktop, but with an embedded PE header name of `SAFlashPlayer.exe`. This filename-to-original-name mismatch is a hallmark of trojanized software. The investigation correlated CrowdStrike alerts, Next-Gen SIEM process and logon events, and registry changes across 28 data queries spanning 11 minutes 37 seconds of autonomous analysis, revealing a multi-stage compromise with unblocked malicious activity.

The Questions We Asked

What follows is the path the agent walked to reach its verdict. Pivots and dead ends both made the cut. Routine steps that just ruled out the obvious are grouped together so you can skim past them.

Q1-Q9

Nine checks, mostly ruling out benign explanations.

Supporting Evidence

The masqueraded executable (Beautiful Calendar disguised as SAFlashPlayer.exe) combined with multiple separate CrowdStrike detections (SuspiciousFileWritten, RansomwareFilesModifiedInformational, FileSystemTamper, Brute Force) cannot plausibly be explained by legitimate system operations or known false positive patterns.

Confirmed

Conclusions:Not Documented as Benign·Deviates from Normal Operations·Outside Expected Role Scope·Data Access Exceeds Role·Not Explained by Legitimate Operations·Not Benign User Error·+3 more

Q10

Is malware actually present?

Pivot

What Windows binaries were executed from non-standard paths on this device according to CrowdStrike Falcon Next-Gen SIEM?

2 records

Supporting Evidence

A trojanized executable ('精美日历.exe' = Beautiful Calendar) with an internal name of 'SAFlashPlayer.exe' was executed from the user's Desktop. This is a classic malware distribution technique: a fake utility masquerading as a calendar application.

High

Supporting Evidence

CrowdStrike explicitly categorizes file modification activity as ransomware-associated (RansomwareFilesModifiedInformational, T1486 Data Encrypted for Impact). This indicates the presence of ransomware code modifying files on the device.

High

Supporting Evidence

Tampering with CrowdStrike's protected folder (T1562.001 Disable or Modify Tools) is a behavior characteristic of malware/ransomware that attempts to disable security tools before executing its payload.

High

Conflicting Evidence Resolved

No threat intelligence confirming either SHA256 as known malware was found in platform intel, which could slightly reduce certainty.

Low

Conclusion:Malware or Malicious Software Present·No Malware or Malicious Software

Key Pivots

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

SuspiciousFileWrittenRansomwareFilesModifiedInformationalFileSystemTamperBruteForceLogonAttempt

Technique	Tactic	Context
`T1036.001` Masquerading: Invalid Code Signature	Defense Evasion	Flag processes writing DLL files to non-standard directories, particularly input method editor (IME) paths like ``[CUSTOM_DIR_1]``. Alert on filename/original-filename mismatches where the PE header name differs from the on-disk filename. Monitor for `temp.dll` or similarly generic DLL names written to legitimate application directories, especially those targeting Chinese language support components. Correlate with process execution from user-writable paths.
`T1486` Data Encrypted for Impact	Impact	Monitor for bulk file modification patterns consistent with ransomware encryption: rapid sequential writes to multiple files, file extension changes, or modification of files in user data directories. Correlate with process execution from non-standard paths and parent process chains involving masqueraded executables. Alert on file modification activity originating from processes with filename/PE header mismatches.
`T1562.001` Disable or Modify Tools: Disable or Modify Tools	Defense Evasion	Flag any process attempting to modify, delete, or tamper with security tool directories, particularly CrowdStrike Falcon protected folders. Monitor for file system operations targeting ``C:\Program` Files\CrowdStrike` or equivalent security software paths. Alert on processes with masquerading indicators (filename/PE header mismatch) attempting security tool tampering.
`T1110.001` Brute Force: Password Guessing	Credential Access	Alert on 50+ failed logon attempts within a 24-hour window targeting a single account from a single source IP. Flag attempts targeting built-in accounts (Guest, Administrator) from the local machine (`127.0.0.1` or device's own IP). Correlate with process execution from non-standard paths and other malware indicators. Investigate the source process initiating the logon attempts.

Verdict Reasoning

The verdict of Compromised at high confidence rests on the following mutually corroborating signals:

1. Multiple independent CrowdStrike behavioral detections across distinct MITRE ATT&CK techniques—T1036 Masquerading (filename/PE header mismatch), T1486 Data Encrypted for Impact (ransomware file modification), T1562.001 Disable or Modify Tools (CrowdStrike protected folder tampering), and T1110.001 Brute Force (495 failed Guest logon attempts)—all on the same device within a 3-day window

2. Process telemetry showing SogouExe.exe executed 4 times across March 11–13, each time writing temp.dll to the IME directory, confirming persistent DLL side-loading behavior

3. A trojanized executable (Beautiful Calendar / SAFlashPlayer.exe) launched from the user desktop, a non-standard execution path for system binaries

4. All malicious activities completed successfully under detect-only disposition (pattern_disposition=0), meaning CrowdStrike detected but did not block the threat

5. Confidence is High rather than Confirmed because we lack hash-based malware family confirmation or sandbox detonation results; however, the behavioral evidence across five distinct attack techniques is sufficient to confirm active malware presence without requiring signature-based identification

Lessons

01
Detect-only mode leaves the door open. In this investigation, CrowdStrike Falcon detected all five malicious behaviors (masquerading, DLL side-loading, ransomware file modification, security tool tampering, and brute force) but operated in detect-only mode. The malware ran unimpeded for three days, executing SogouExe.exe four times and completing 495 brute force attempts. The lesson: detection without prevention is a distraction. Audit your CrowdStrike Falcon policies to ensure critical threats—particularly ransomware, security tool tampering, and persistence mechanisms—are set to block or kill, not detect-only. A high detection count is not a win if the malware achieves its objectives.
02
Filename-to-PE-header mismatch is a red flag you can act on immediately. The trojanized executable '精美日历.exe' (Beautiful Calendar) with internal name 'SAFlashPlayer.exe' was the first signal of compromise. This mismatch is trivial to detect in process telemetry and is almost never legitimate. Create a detection rule that flags any process where the on-disk filename differs from the OriginalFilename field in the PE header, especially when executed from user-writable paths like Desktop or Downloads. This single rule would have caught the initial compromise before DLL side-loading and ransomware activity began.
03
DLL side-loading into IME directories is a known persistence vector. SogouExe.exe repeatedly wrote temp.dll to the [CUSTOM_DIR_1] input method directory—a technique documented in Chinese-targeted malware campaigns. If your organization uses Chinese input methods or has users in regions where they're common, monitor for DLL writes to IME directories (typically `C:\Windows\IME\*` or equivalent). Alert on any process writing DLLs to these paths, especially with generic names like temp.dll. Pair this with file integrity monitoring to catch DLL side-loading before the trusted IME application loads the malicious DLL.
04
Brute force from the local machine means malware is running. The 495 failed Guest logon attempts all originated from 10.1.1.1 (the device itself). This is not a remote attacker; it's malware running on the compromised host attempting lateral movement or privilege escalation. When you see high-volume brute force from a device's own IP, immediately investigate what process is generating the logon attempts. In this case, it would have revealed the malware's credential attack behavior and confirmed active compromise before ransomware encryption began.
05
Correlate across MITRE techniques to confirm compromise. No single alert in this investigation was definitive in isolation. But the combination of T1036 (masquerading), T1486 (ransomware file modification), T1562.001 (security tool tampering), and T1110.001 (brute force) across the same device in a 72-hour window is a clear compromise signal. Build correlation rules that trigger on multiple distinct MITRE techniques from the same device within a short timeframe. This investigation required 28 data queries to confirm what a well-tuned correlation rule could have flagged in minutes.