A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #30110  by EP_X0FF
 Wed Mar 15, 2017 4:15 am
It is run pe. Set break on CreateProcess. Once called set break on NtWriteProcessMemory and inspect any call next. After few system calls will be payload call trying to write buffer with decrypted executable. Dump this memory and extract PE from this dump.

This is generic technique for most of malware "crypters".

This sample identified by MS as TrojanDownloader:Win32/Talalpek.A and probably has win32k exploit on board.
Notice it attempt to get SHAREDINFO by both binary search and CsrClientConnectToServer call.
Attachments
pass: infected
(57.74 KiB) Downloaded 41 times