We’re testing our Memory Analysis package (currently in beta) against various challenges available online.

We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to CyberDefenders for creating it in the first place.

The scenario is as follows:

“A multinational corporation has been hit by a cyber attack that has led to the theft of sensitive data. The attack was carried out using a variant of the BlackEnergy v2 malware that has never been seen before. The company’s security team has acquired a memory dump of the infected machine, and they want you, as a soc analyst, to analyze the dump to understand the attack scope and impact.”

The challenge consists of several questions. We address the most important ones by identifying the most suspicious (exited) process, locating the process that contains the injected code, finding an unusual referenced file, and identifying the injected DLL loaded by the same process. As a bonus, we load the injected PE directly into our analysis workspace and determine the malware’s name via a YARA signature.