Command Zero
Narration by Agent Zero
Highrun-a9b70441-9081-4c28-a146-8d916cb1f34e
Malicious
High confidence
  • malware
  • social-engineering
  • double-extension
  • command-and-control
  • network-share
  • thailand

Malicious Double-Extension Executable Executed from Network Share with External Command and Control Communication

A malicious executable with a deceptive double extension (.TXT.exe) was executed from a network share on a manufacturing workstation in Thailand and immediately established communication with an external server in Luxembourg, indicating successful malware deployment through social engineering.

By Agent Zero
AUTONOMOUS INVESTIGATIONCommand Zero · Agent Zero
26m 26s
INVESTIGATION TIME
Autonomous
19
QUESTIONS ASKED
CROWDSTRIKE, MICROSOFT DEFENDER XDR
16K
RECORDS ANALYZED
Across all data sources
~4 hrs
HUMAN ANALYSIS
Tier-2 equivalent *
~$332
ANALYST COST SAVED
At $85/hr loaded rate *

Time and cost estimates are based on a Tier-2 SOC analyst model and actual investigation telemetry. Individual results vary by analyst experience, tooling, and environment.

Initial Signal

CrowdStrike Falcon detected a suspicious executable on workstation ws-001 (10.1.1.1) in Thailand. The file, named `คิดแบบใหม่.TXT.exe` (Thai for "Think New.TXT.exe"), uses a classic deceptive double extension (.TXT.exe) designed to trick users into thinking it's a harmless text file. The executable was launched from a network share path `\10.1.1.2\[SHARE_1]\TOO\` and immediately established an outbound TCP connection to `[EXTERNAL_IP_1]:80` at 2026-03-17T07:31:00Z—approximately 1 second after execution. This maps to MITRE technique T1566.002 (Phishing: Spearphishing Link) combined with T1204.002 (User Execution: Malicious File). The timing and destination are the red flags here: the file didn't pause or perform legitimate work; it went straight to an external hosting provider in Luxembourg with no business context. The same IP was contacted by explorer.exe on 2026-03-16 and 2026-03-17, suggesting the compromise predates this alert. Investigation across CrowdStrike Falcon and Microsoft Defender XDR took 26 minutes and correlated 16,042 records across two data sources.

How We Reached the Verdict

The agent considered each plausible alternative verdict and ruled them out one at a time. Each card below lists the hypothesis tested, the evidence weighed, and the dismissal rationale.

H1

Could this be normal activity?

Ruled out
Supporting Evidence
Double extension executable executed from network share
Moderate
Supporting Evidence
Low global prevalence but common local prevalence of the executable
Moderate
Supporting Evidence
Immediate outbound connection to [EXTERNAL_IP_1] on port 80 after execution
Moderate
Dismissed:The evidence strongly indicates malicious activity rather than normal operations. The double extension executable with Thai language characters is a classic social engineering technique designed to deceive users. The file was executed from a network share and immediately established an outbound connection to an external IP address in Luxembourg (G-Core Labs hosting). The low global prevalence but common local prevalence suggests targeted malware distribution within this organization. Multiple high-severity CrowdStrike alerts further support malicious classification.·High confidence
H2

Could this be a true positive that was blocked?

Ruled out
Supporting Evidence
Double extension executable executed from network share
Moderate
Supporting Evidence
Immediate outbound connection to [EXTERNAL_IP_1] on port 80 after execution
Moderate
Supporting Evidence
Multiple CrowdStrike alerts with high severity ratings
Moderate
Dismissed:While the alerts were correctly generated by CrowdStrike, there is no evidence that security controls actually blocked or prevented the execution of the suspicious file or its network communication. The file was successfully executed and established an outbound connection to the external IP address. This indicates the security controls detected but did not prevent the activity, ruling out a TRUE_POSITIVE_BLOCKED verdict.·High confidence
H3

Could this be a policy violation?

Ruled out
Supporting Evidence
Double extension executable executed from network share
Moderate
Supporting Evidence
Thai language filename suggesting targeting of Thai-speaking users
Moderate
Supporting Evidence
Execution occurred in Thailand manufacturing facility
Moderate
Dismissed:While the common local prevalence and Thai language could suggest a legitimate business tool used in the Thailand facility, the deceptive double extension format is a classic malware technique with no legitimate business purpose. Legitimate business tools would not use misleading file extensions designed to trick users. Additionally, the immediate connection to an external hosting provider in Luxembourg on port 80 after execution is inconsistent with normal business application behavior. The evidence more strongly supports malicious intent rather than policy violation.·Medium confidence
H4

Could this be a false positive?

Ruled out
Supporting Evidence
Explorer.exe process flagged with FileNamePathKnownMalware alert
Moderate
Supporting Evidence
Standard Windows file path for explorer.exe
Moderate
Supporting Evidence
Common global and local prevalence for the explorer.exe process
Moderate
Dismissed:The FileNamePathKnownMalware alert on explorer.exe appears to be a false positive. The process follows the standard Windows logon sequence, operates from the expected system directory, and performs normal Windows Explorer functions like creating shortcut files in the Recent folder. The common global and local prevalence is consistent with legitimate Windows system files. However, this single potential false positive does not negate the clear evidence of malicious activity from the double-extension executable, which represents a separate and confirmed threat.·Medium confidence
H5

Could this be an account compromise?

Ruled out
Supporting Evidence
Double extension executable executed from network share
Moderate
Supporting Evidence
Immediate outbound connection to [EXTERNAL_IP_1] on port 80 after execution
Moderate
Supporting Evidence
Low global prevalence but common local prevalence of the executable
Moderate
Dismissed:While malicious activity is clearly present, there is no evidence that this incident involves compromised credentials or account takeover. The attack vector appears to be social engineering through a deceptive executable rather than credential theft. The user appears to have been tricked into executing the malicious file, but there is no indication that the account itself was compromised by an external actor. The evidence points to malware execution rather than account compromise.·High confidence

Disconfirming Evidence

Evidence that pushed against the agent's working hypothesis. Each item changed the direction of the investigation.

Evidence Gathered

The agent queried these data sources during the investigation. Each entry shows what was checked, what came back, and the methodology behind the query.

process execution
Execution of file 'คิดแบบใหม่.TXT.exe' (Thai for 'Think New.TXT.exe') with deceptive double extension designed to hide executable nature
Methodology: CrowdStrike Falcon detects process execution events through endpoint telemetry. The DoubleExtensionProcess and DoubleExtensionExecuted alerts are triggered when a binary with a double extension pattern (e.g., .TXT.exe) is executed. This detection is based on filename analysis and process creation events captured by the Falcon sensor.
CrowdStrike Falcon alerts (DoubleExtensionProcess, DoubleExtensionExecuted)
file location
File executed from network share path '\10.1.1.2\[SHARE_1]\TOO\' mapped as Z: drive
Methodology: CrowdStrike Falcon captures process command line arguments and file paths during process creation. The network share path is extracted from the ImageFileName or CommandLine field in process events, revealing the source location of the executed binary.
CrowdStrike Falcon process command line data
network activity
Immediate outbound TCP connection to [EXTERNAL_IP_1]:80 established at 2026-03-17T07:31:00Z, approximately 1 second after execution
Methodology: CrowdStrike Falcon Next-Gen SIEM captures network connection events (NetworkConnectIP4) with timestamps, source/destination IPs, ports, and associated process information. The timing correlation between process execution and network connection is derived from event timestamps.
CrowdStrike Falcon network connection logs
threat intelligence
IP [EXTERNAL_IP_1] belongs to G-Core Labs S.A. hosting provider in Luxembourg with no VPN/proxy indicators
Methodology: IP enrichment services correlate IP addresses against known hosting providers, VPN services, and proxy networks to establish business context and identify suspicious infrastructure.
IP enrichment data
file reputation
Suspicious file has SHA256 hash 3a554c3a4ec13257a7acfa046c447ba09efd607dc84f1f5908d690c23f8e0472 with 'low' global prevalence but 'common' local prevalence
Methodology: CrowdStrike Falcon maintains file prevalence data based on the number of endpoints globally and locally that have executed a given file hash. Low global prevalence indicates the file is rare worldwide; common local prevalence indicates multiple executions within the organization.
CrowdStrike Falcon file metadata
security alert
Multiple high-severity CrowdStrike alerts triggered simultaneously at 2026-03-17T07:32:03Z from different detection engines
Methodology: CrowdStrike Falcon generates alerts based on behavioral analysis, signature matching, and machine learning models. Multiple simultaneous alerts from different detection engines indicate high confidence in the malicious classification.
CrowdStrike Falcon alert timeline
network pattern
Same external IP ([EXTERNAL_IP_1]) contacted by explorer.exe process on 2026-03-16T10:47:05Z and 2026-03-17T05:13:27Z
Methodology: CrowdStrike Falcon network events are correlated by destination IP and timestamp to identify patterns of repeated communication. The presence of the same external IP in multiple process connections across different timestamps indicates persistent communication.
CrowdStrike Falcon network connection logs

False Positive Analysis

The agent ran these validation checks to confirm the verdict isn't a false positive.

  1. fp1
    Verified the file uses a deceptive double extension (.TXT.exe) designed to trick users
    Pass
  2. fp2
    Analyzed network communication pattern immediately following execution
    Pass
  3. fp3
    Evaluated file prevalence and distribution pattern
    Pass
  4. fp4
    Assessed potential legitimate business purposes
    Pass

Detection Opportunities

The high-fidelity detection signals from this investigation, sanitized for general use. Each MITRE ID links to the official technique reference.

DoubleExtensionProcessFileNamePathKnownMalwareNetworkConnectIP4
TechniqueTacticContext
T1036.007
Masquerading: Double File Extension
Defense EvasionFlag any process execution where the filename contains a double extension pattern (e.g., .TXT.exe, .PDF.exe, .DOC.exe). Alert on executables with non-executable extensions followed by .exe, especially when executed from user-writable or network-accessible paths. Monitor for files with Thai, Chinese, or other non-Latin script characters combined with double extensions, as this pattern targets users unfamiliar with the language. Threshold: any single execution of a double-extension binary should trigger investigation.
T1204.002
User Execution: Malicious File
ExecutionMonitor for execution of files from network shares (UNC paths or mapped drives) that match known malware signatures or exhibit suspicious characteristics. Flag files with low global prevalence but common local prevalence, as this pattern indicates targeted distribution within a specific organization. Alert on any executable launched from shares named with generic or obfuscated folder names (e.g., 'TOO', 'SHARE_1'). Correlate file execution with immediate outbound network connections to external IPs.
T1071.001
Application Layer Protocol: Web Protocols
Command and ControlAlert on unencrypted HTTP (port 80) connections to external IPs immediately following process execution, especially from newly-launched executables. Flag connections to hosting providers (G-Core Labs, Linode, DigitalOcean, etc.) that lack business context. Monitor for repeated connections to the same external IP from different processes (e.g., explorer.exe and a suspicious executable) on the same device, as this indicates persistent C2 communication. Threshold: any outbound HTTP connection within 1 second of a suspicious process launch warrants escalation.

Verdict Reasoning

The verdict of Malicious at high confidence rests on the following mutually corroborating signals:

1. The file uses a deceptive double extension (.TXT.exe), a textbook social engineering technique with no legitimate business purpose. Windows hides known extensions by default, making this appear as a text file to the user

2. Execution occurred from a network share (`\10.1.1.2\[SHARE_1]\TOO\`), suggesting either a compromised share or targeted distribution within the organization

3. Immediate outbound connection to `[EXTERNAL_IP_1]:80` within 1 second of execution is consistent with command-and-control behavior; legitimate applications do not establish external connections this quickly

4. The external IP belongs to G-Core Labs S.A., a hosting provider in Luxembourg, with no documented business relationship to the organization

5. The same IP was contacted by explorer.exe on 2026-03-16 and 2026-03-17, indicating persistent presence and prior compromise

6. Multiple high-severity CrowdStrike alerts (DoubleExtensionProcess, DoubleExtensionExecuted) were triggered simultaneously, confirming detection across independent engines. Confidence is High rather than Confirmed because the investigation did not recover the full command-and-control payload or establish the initial infection vector (how the file reached the network share)

Lessons

  1. 01
    Double extensions are not benign—they are deliberate deception. In this investigation, the .TXT.exe pattern was the first signal that execution was malicious. Windows hides known file extensions by default, so users see only 'Think New.TXT' and assume it's a document. This is not a coincidence or a quirk of the filesystem; it is a deliberate attacker choice. Any alert flagging a double extension should be treated as high-confidence malware until proven otherwise. Do not dismiss it as a false positive based on the presence of a 'legitimate' extension in the name.
  2. 02
    Network share execution is a distribution vector, not a safety feature. The file was executed from a network share accessible to multiple users. This is not a sign of legitimacy; it is a sign of targeted distribution. Attackers place malware on shared drives to maximize exposure within an organization. The common local prevalence combined with low global prevalence is a strong indicator of targeted malware. Investigate the source of the share and audit who has write access.
  3. 03
    Immediate external connections after execution are command-and-control. The malicious executable connected to [EXTERNAL_IP_1]:80 within 1 second of execution. Legitimate applications do not establish external connections this quickly. They perform initialization, load configuration, and then communicate. This timing pattern is consistent with command-and-control behavior. The use of unencrypted HTTP (port 80) rather than HTTPS (port 443) further suggests an attacker-controlled server.
  4. 04
    Persistent C2 communication across processes indicates active compromise. The same external IP was contacted by explorer.exe on 2026-03-16 and 2026-03-17, before and after the malicious executable was executed. This is not coincidence; it indicates the device was already compromised and the malicious executable was a secondary payload or lateral movement tool. Do not assume the device is clean after isolating the malicious file. Investigate all network connections to the external IP and audit for additional persistence mechanisms.
  5. 05
    Low global prevalence + common local prevalence = targeted attack. The suspicious file had low global prevalence (rare worldwide) but common local prevalence (multiple executions within the organization). This distribution pattern is a hallmark of targeted malware campaigns. Attackers customize malware for specific organizations or industries to evade generic detection. The Thai language filename further suggests targeting of the Thailand manufacturing facility. Investigate whether other devices in the facility have similar files or connections to the same external IP.