Thanks for the reply Jared. The reason for the investigation was an alert regarding download of an executable from a suspicious domain. I have the executable extracted from PCAP, and it's detected as adware/malware by multiple engines:
https://www.virustotal.com/en/file/83b751e0cbc22611589f24f83302b7b7538b5c479613966a9828f949445c47d8/analysis/
 
Due to timing of the event, memory sample and other data was acquired the next day.
 
I've seen no evidence (keep in mind, I'm relatively new to this) of the executable running. The file no longer exists on disk, and there's no reference to it in the $MFT on disk. (Need to go back and grab UsnJrnl.)
 
So, among the questions I need to answer are:
Did it execute?
What happened to the file? (Note, there's no indication of AV detection/quarantine. We get those alerts.)
Why do certain strings from the executable (such as author & company) appear in Kernel space? (For example: [kernel:f9805ba44800] - there are 30 different hits like this, as well as numerous in [FREE MEMORY].
 
So, I haven't tied this back to any specific module, and am not sure how to go about doing so, if in fact it's in a module. I'll give the shimcache and timeliner plugins a go to see if anything new appears. In the meantime, I'm particularly interested in how to answer that 3rd question, as it's relevant for a couple of other unrelated incidents as well.
 
Thanks again for the help.
Greg 
On Thu, May 14, 2015 at 12:35 PM, Jared Greenhill <jared703@gmail.com> wrote:
Hey Greg,

A couple thoughts/ideas:

What was the initial reason for investigation- the suspect EXE? Do you have a timeframe of the suspect activity?

What was the context around the suspect EXE download, just the PCAP or? If so, did the memory capture occur when there was still an active connection? Sometimes this can be a dealbreaker when the connection isn't there.

Does moddump work on the module with that base address? If so, what type of strings are you seeing?

As far as execution goes, does the shimcache plugin provide any results around the time of interest? Assuming you have a time of interest, you could also try the timeliner plugin to pull in other temporal artifacts to hone in around that suspect time.

hope this helps,
Jared - @jared703


On Tue, May 12, 2015 at 3:36 PM, Gregory Pendergast <greg.pendergast@gmail.com> wrote:
Greeting,

I'm examining a memory sample (captured locally with winpmem_1.6.2)
<yeah...i know...>

Modscan shows one apparently strange module that has no name and no
file listed. The base address space also seems way out of whack for
the rest of the sample.

So all i have are offset, base, and size:
0x000000023a80b540 0x48706657040b0003 0xf3a54f0

In particular, that base address seems way out of range compared to
everything else in 0xfffff8.... space

How can I tell if this is an error of some kind in the captured sample
versus a legitimate anomaly that bears investigation?


Lastly, and pardon me if this is a n00b question, but how can I
determine why specific strings appear in kernel memory (based on
strings plugin output)? For context, I have a suspicious executable
download, but there appears to be no evidence of the file in $MFT (I
don't have access to UsnJrnl) and I'm trying to find out what happened
to it and whether it ran. Strings from the executable (ontained from
pcap) do appear in Free Memory and Kernel memory, but I'm not clear
whether that's a symptom of the download or a sign of execution.

Thanks,
greg