[ About hancitor ]

  https://unit42.paloaltonetworks.com/hancitor-infections-cobalt-strike/

  https://isc.sans.edu/forums/diary/Hancitor+activity+resumes+after+a+hoilday+break/26980/



[ VirtualProtectEx ]

https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualprotectex



5 params, 2nd is addr of protection to change



[ VirtualAllocEx ]

https://docs.microsoft.com/en-us/windows/win32/api/memoryapi/nf-memoryapi-virtualallocex



5 params, ret (eax) is base addr of allocated memory



[ Steps for Unpacking and Unmapping ]

Just bp VirtualAlloc and bp VirtualProtect, then just Run (F9) through all bp until there is no more.

From the bp tab, note down how many times each VirtualProtect and VirtualAlloc was hit. Now we know

when is the last bp when we should dump.

Restore Virtual Machine. Then repeat. But this time, follow each arguments and eax until the last bp.

You will note that the last bp is VirtualAlloc with return of eax = 0x230000 (Yours might be different).



Then dump 0x230000 using ProcessHacker and unmap with Pe-Bear. Then check with IDA.