# Invite Only THM Writeup Hey, hope you are doing great. Today we are going through **Invite Only** room in TryHackMe Below is the information we are given: You are an SOC analyst on the SOC team at Managed Server Provider TrySecureMe. Today, you are supporting an L3 analyst in investigating flagged IPs, hashes, URLs, or domains as part of IR activities. One of the L1 analysts flagged two suspicious findings early in the morning and escalated them. Your task is to analyse these findings further and distil the information into usable threat intelligence. Flagged IP: `101[.]99[.]76[.]120` Flagged SHA256 hash: `5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f` We recently purchased a new threat intelligence search application called TryDetectThis2.0. You can use this application to gather information on the indicators above. --- ### Question 1 **What is the name of the file identified with the flagged SHA256 hash?** After booting up the VM, launch the application in the desktop named `TryDetectThis2.0 ` OR You can visit the following link in case you prefer using your own machine [VirusTotal](https://www.virustotal.com/gui/home/search) Click this to be redirected to the page! It looks like this...  on here, search up the flagged hash given in the room description: `5d0509f68a9b7c415a726be75a078180e3f02e59866f193b0a99eee8e39c874f` On searching that hash you will get results similar to this  The name of the file identified with the flagged hash is **syshelpers.exe** --- ### Question 2 **What is the file type associated with the flagged SHA256 hash?** We get into the details tab to get the file type associated In the Basic Properties' list, you can see the file type.  The file type associated with the flagged SHA256 hash is **Win32 EXE** --- ### Question 3 **What are the execution parents of the flagged hash? List the names chronologically, using a comma as a separator. Note down the hashes for later use.** For the execution parents we get in to the RELATIONS tab and scroll down till you get to the `Execuion Parents` part and you will see this  The names are: **361GJX7J** **installer.exe** Ensure you note down the hashes of these two since we will use them later. To copy the hashes, simply press the copy button hovering on the top right corner of this list and it looks like this  But if you don't wanna do allat, here they are... ``` 047c5eec0445746862710d20e50a5dd04510b7e625fa5c1f5d48ce078001c0de fa102d4e3cfbe85f5189da70a52c1d266925f3efd122091cdc8fe0fc39033942 ``` --- ### Question 4 **What is the name of the file being dropped? Note down the hash value for later use.** The Dropped files list is in the same tab as the above question, you just have to scroll down a bit more.  So, the dropped file is **Aclient.exe** --- ### Question 5 **Research the second hash in question 3 and list the four malicious dropped files in the order they appear (from up to down), separated by commas.** In this questions we are using the hashes that we copied in question 3 of this room. copy the second hash which was for `installer.exe` in the search bar and click search  This question is asking for the four malicious dropped files in the order they appear (from up to down), so we go to the RELATIONS tab and scroll down till you find the Dropped Files list. NOTE: The question is asking for `malicious dropped files` so we have to look for those files flagged red.  it's easy to spot them soo but here they are: **searchhost.exe,syshelpers.exe,nat.vbs,runsys.vbs** --- ### Question 6 **Analyse the files related to the flagged IP. What is the malware family that links these files?** Here is where we get to the IP part, we were on hashes the whole time but it's alright The hash is in the room description  **101.99.76.120** Search it up in the search bar This one gave me a lil headache trying to look for some clues, but when I got to the Community tab in the far right, I found an interesting comment.  In the comment we can see that the malpedia is `AsyncRAT` and malpedia means...  malware related, so I became sure that `AsyncRAT` is the malware family we are looking for. --- ### Question 7 **What is the title of the original report where these flagged indicators are mentioned? Use Google to find the report.** In the comment I showed you in the previous question, he clearly states the title of the original report as **From Trust to Threat: Hijacked Discord Invites Used for Multi-Stage Malware Delivery** --- ### Question 8 **Which tool did the attackers use to steal cookies from the Google Chrome browser?** [Here](https://research.checkpoint.com/2025/from-trust-to-threat-hijacked-discord-invites-used-for-multi-stage-malware-delivery) is the reference for this question.  The operation continues to evolve, and threat actors can now bypass Chrome’s App Bound Encryption (ABE) by using adapted tools like **ChromeKatz** to steal cookies from new Chromium browser versions. Tool used: **ChromeKatz** --- ### Question 9 **Which phishing technique did the attackers use? Use the report to answer the question.**  The phishing technique used by the attackers is: **ClickFix** --- ### Question 10 **What is the name of the platform that was used to redirect a user to malicious servers?** If you have read the news in the reference above, I am certain that you have known the name of the platform involved, with the logos everywhere in that reference so I leave this task to YOU. Thank you for reading this writeup and I hope you have learned. Have a nice day!