Ticket#3537199/STONEHENGE/[##343373##] High - SentinelOne Threat - Stonehenge Advisors, Inc - BackUp.exe - 05/12/26 -- has been updated - Все последние письма

This ticket has been updated by Aakash Singh

Aakash Singh

5/18/2026 7:06 PM

Hi Team,

The detected file BackUp.exe was observed in the path \Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exe and is not digitallysigned. The file was executed by explorer.exe under the user **account DESKTOP-494JT93\ccayl, **as checked the hash associated with the file was marked as malicious by multiple security vendors.

[image]

Also, as checked the instance has been mitigated [Killed and quarantined] by the sentinelOne.
As a precautionary measure, we have initiated a full disk scan on the machine DESKTOP-494JT93, as the machine was not found on RMM.

Closing this as true positive and blacklisting the hash.

Summary:

[##343373##] High - SentinelOne Threat - Stonehenge Advisors, Inc - BackUp.exe - 05/12/26

Status:

Completed

Ticket #

3537199

Company:

Stonehenge Advisors, Inc

Contact:

Dan Sablosky (POC)

Phone:

(215) 320-3777

Address:

4328-42 Ridge Avenue
Suite 104
Philadelphia, PA 19129

View Ticket

Discussion

Aakash Singh

5/18/2026 7:06 PM-7:14 PM

Dan Sablosky (POC)

5/12/2026 1:35 PM-

{      "@context": "http://schema.org",      "@type": "EmailMessage",      "potentialAction": {        "@type": "ViewAction",        "target": "https://desk.cyflare.cloud/portal/ticket/343373",        "name": "View Ticket "      },      "description": "View Ticket"    }

Dear IH-Atlantic_Stonehenge Advisors,

A ticket has been created with the following details:

Account Name: Atlantic_Stonehenge Advisors
Ticket ID:  343373
Priority:  High
Subject:  High - SentinelOne Threat - Stonehenge Advisors, Inc - BackUp.exe - 05/12/26
Description:

EDR: BackUp.exe

Customer: Stonehenge Advisors, Inc |                            Detected: 2026-05-12 10:53:49 UTC-04

Priority: HighSource: SentineloneThreat status: Mitigated - contained by socKill: SuccessQuarantine: Success
Alert Link:EDR Alert

Executive Summary                AI-Assisted

A suspicious, likely obfuscated executable was detected on a desktop used by user 'DESKTOP-494JT93\ccayl', rated as a moderate risk due to signs it may be intentionally hidden and capable of dynamic behavior; the agent successfully contained and mitigated the file, so the immediate threat is resolved. Business impact could include temporary loss of productivity for that user and a small risk of data exposure if similar files existed elsewhere. Continuous monitoring is recommended.

SOC Response Actions
Actions the SOC performed (or attempted). Follow this link for further information on Use Case #5 and Use Case #6.
ActionStatus

--- ---
DESKTOP-494JT93, no full disk scan command was sent.                        Not Configured
DESKTOP-494JT93, endpoint was not isolated from the network.                        Not Configured

Recommended Remediation

[Containment] Isolate the endpoint 'DESKTOP-494JT93' from the network (disconnect Ethernet and disable Wi‑Fi) and remove physical access until remediation is complete.
[Eradication] Remove or securely delete the file '\Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exe' and any known copies from user-accessible locations on the affected device.
[Eradication] For user 'DESKTOP-494JT93\ccayl', perform a full local credential reset (change local account password) and revoke any persistent authentication tokens or stored credentials.
[Hardening] Ensure Windows 11 Home system is fully patched and enable reputable endpoint protection features, including preventing execution from the user’s 'Documents' folder via application control policies where supported.
[Hardening] Validate backups and ensure backup software does not use the same local credentials; restrict write permissions to backup destinations and implement least-privilege access for user 'DESKTOP-494JT93\ccayl'.

Key Details
Threat ClassificationGeneralEndpoint NameDESKTOP-494JT93
Detection EngineOn-Write DFI - SuspiciousEndpoint IP Address10.1.10.251
File Path\Device\HarddiskVolume1\Documents\Old Files\Saber2002\BackUp.exeSite NameStonehenge Advisors
File Hash1d6233682a257cb9d0d278c7983a60d20638f302769fbea8082a9b291ba9f6da MaliciousGroup NameStonehenge Advisors Inc - HQ
File Publisher NameSentinelOne Mitigation Policyprotect
File Publisher Signed & VerifiedNotSignedSentinelOne Mitigation Statusmitigated
Command Line
SOC Findings
Threat Intelligence & Reputation
VirusTotal

1d623368...1ba9f6da
Malicious
File hash detected by 3 security engines. Classified under the meaningful name BackUp.exe.
Hybrid-Analysis

1d623368...1ba9f6da
No Relevant Results
No behavioral or reputation data returned for this hash at the time of analysis.
Indicators of Compromise

The threat indicators reveal that this is a VisualBasic 6 executable with several concerning features. It has 'abnormal section names,' suggesting it may have been created with unusual development tools. The entry point is located in a section not typically marked for code, which is unusual. Additionally, the file can dynamically link functions during execution and has been packed using the ASPack tool. The high entropy in its sections indicates potential obfuscation or packing, suggesting it may contain encrypted or compressed data, raising further security concerns.

Cross-Service Intelligence Markdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Syntax.Inlines.HtmlEntityInlineMarkdig.Sy...

Below is additional context from other services subscribed by the customer.
ServiceSourceRelevant InsightReference

--- --- --- ---
ESN/ANo relevant tools configured for enrichment.

Need help or want us to take additional actions? Reply to this ticket and the SOC will assist.

You can view all details here: 343373

View Ticket