We’re testing our Memory Analysis package (currently in beta) against various challenges available online.

We found this challenge on the Memory Forensic site, so credit goes to them for highlighting it and to CyberDefenders for creating it in the first place.

The scenario is as follows:

“An employee reported that his machine started to act strangely after receiving a suspicious email with a document file. The incident response team captured a couple of memory dumps from the suspected machines for further inspection. As a soc analyst, analyze the dumps and help the IR team figure out what happened!”

We address some of the questions raised by the challenge. We identify the suspicious process, determine the TeamViewer version and then extract the TeamViewer password from the process’s user-mode memory. We then carve the Outlook PST file from memory and examine it directly in our workspace. From there, we identify the involved email addresses, the BTC wallet and the VBA function that returns the string executed on the system. As a bonus, we deobfuscate that string and recover the IP address used to download the malicious payload.