Just practicing unpacking malware with this sample
http://dreamofareverseengineer.blogspot.com/2017/03/unpacking-malware-in-minutes.html?m=1
md5:dca9106dc8556f9a15d7e18b4fad5d44
What worked was using x64dbg
Attach a breakpoint on CreateProcessInternalW
if I ran a few lines past this I saw a child process spawned (svchost.exe)
And given the context and strings around this call I saw "NtResumeThread" among others
So I set a breakpoint on NtResumeThread (which appears to be ready to launch code in the child process svchost.exe)
Then open a new 2nd instance of x64dbg
"Attach" to svchost.exe , which really isn't doing much right now
Go to the threads tab and you'll see 2 of them!
1 of them is in the "suspended" state
Click into that suspended state and set a breakpoint on the 1st line of code in there
Then click "run" in svchost.exe just to get it so you're not stuck on any breakpoints anymore
Then return to the original x64dbg and click "detach" to allow it to proceed and start the "svchost.exe" process
In the x64dbg on svchost you should now hit it's breakpoint
Now you're inside the 2nd state of the malware but the malicious code hasn't been unpacked so there are still no good strings yet.
Set a breakpoint on VirtualAlloc's ret 10 statement.
Run, then check strings. If you see nothing, run again, and check strings.
Proceed until you notice the good strings ... (like URLs, etc.)
Then one easy way to get the executable out of memory is to just run
pe-sieve64.exe /pid ???
it will dump the unpacked executable for you
