Scenario

You are an SOC analyst on the SOC team at Managed Server Provider TrySecureMe. Today, you are supporting an L3 analyst in investigating flagged IPs, hashes, URLs, or domains as part of IR activities. One of the L1 analysts flagged two suspicious findings early in the morning and escalated them. Your task is to analyse these findings further and distil the information into usable threat intelligence.

Flagged IP: 101[.]99[.]76[.]120

Flagged SHA256 hash: 5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f

We recently purchased a new threat intelligence search application called TryDetectThis2.0. You can use this application to gather information on the indicators above.

https://tryhackme.com/room/invite-only

1- What is the name of the file identified with the flagged SHA256 hash?

syshelpers.exe

2- What is the file type associated with the flagged SHA256 hash?

Win32 EXE

3- What are the execution parents of the flagged hash? List the names chronologically, using a comma as a separator. Note down the hashes for later use.