romcom

Task 01

Question: What is the CVE assigned to the WinRAR vulnerability exploited by the RomCom threat group in 2025?

In 2025, a threat actor sometimes tracked as RomCom (also known as Storm-0978 (Microsoft), Tropical Scorpius (Palo Alto), or UNC2596 (Google)) abused a zero-day vulnerability in WinRAR. On July 18th, 2025, ESET observed the exploitation of this vulnerability in WinRAR version 7.12. This vulnerability was later assigned the identifier CVE-2025-8088.

Answer: CVE-2025-8088

Task 02

Question: What is the nature of this vulnerability?

According to the description in the NIST database:

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Answer: Path Traversal

Task 03

Question: What is the name of the archive file under Susan’s documents folder that exploits the vulnerability upon opening the archive file?

For the following tasks, you will need the provided artifacts. The packaged archive contains a .vhdx disk image. This image includes both the $MFT and $J of the affected system for analysis. For easier evaluation, an overview can be generated using MFTECmd (in CSV or JSON format) and then reviewed in the analysis tool of your choice. To get a general overview and understanding of MACB timestamps on a NTFS filesystem, I recommend this video by 13Cubed and the mentioned slides I´m your MAC(b) Daddy.

And 
    Contains([Extension], '.rar') 
    Contains([Parent Path], 'Documents')

By applying a filter for the .rar file extension in combination with Documents in the file path, only a single file can be found.

Answer: Pathology-Department-Research-Records.rar

Task 04

Question: When was the archive file created on the disk?

By checking the remaining columns (or keys in JSON format), the Created0x10 field reveals the timestamp of when the file was created on the disk.

{
    "EntryNumber": 117119,
    "ParentPath": ".\\Users\\susan\\Documents",
    "FileName": "Pathology-Department-Research-Records.rar",
    "FileSize": 8746363,
    "Created0x10": "2025-09-02T08:13:50.5190826+00:00",
    "LastModified0x10": "2025-09-02T14:54:54.0000000+00:00",
    "LastModified0x30": "2025-09-02T08:13:50.5190826+00:00",
    "LastRecordChange0x10": "2025-09-02T08:14:04.9807437+00:00",
    "LastRecordChange0x30": "2025-09-02T08:13:50.5190826+00:00",
    "LastAccess0x10": "2025-09-02T08:14:18.8730290+00:00",
    "LastAccess0x30": "2025-09-02T08:13:50.5190826+00:00",
}

Answer: 2025-09-02 08:13:50

Task 05

Question: When was the archive file opened?

This question can also be answered using the dataset from Task 04. The LastRecordChange0x10 field, an indicator that the MFT entry itself was modified, is likely triggered in WinRAR when the structure of the archive is examined upon opening the file to display its contents. Cross-checking the NTFS journal entries from the $J file shows entries for ObjectIdChange at the same timestamp.

For further verification, applying a filter for the suspected timestamp shows additional entries that were modified or created at the same time. At the known timestamp, the creation of the Pathology-Department-Research-Records.lnk shortcut in the \Recents folder can be found which is another indication that this archive was opened at that time.

Answer: 2025-09-02 08:14:04

Task 06

Question: What is the name of the decoy document extracted from the archive file, meant to appear legitimate and distract the user?

To identify the decoy document extracted from the archive, the query from the previous task can be adjusted to search for files in the already known Documents folder created around the suspected time the archive was opened. Only one document meets these conditions, which was created at 08:14:18.

This can also be verified by viewing the MFT reconstruction in MFT Explorer

Answer: Genotyping_Results_B57_Positive.pdf

Task 07

Question: What is the name and path of the actual backdoor executable dropped by the archive file?

Using the timestamp of the extraction identified in Task 06, this timestamp can again be used as a filter to identify files created on the system. At the same time, only two additional files were created, one of which is an executable based on its file extension.

Answer: C:\Users\Susan\Appdata\Local\ApbxHelper.exe

Task 08

Question: The exploit also drops a file to facilitate the persistence and execution of the backdoor. What is the path and name of this file?

This file was previously identified in Task 07. It is a .lnk file, a shortcut, created in the Startup folder for the user Susan, meaning it will be executed every time the user logs in.

Answer: C:\Users\Susan\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Display Settings.lnk

Task 09

Question: What is the associated MITRE Technique ID discussed in the previous question?

When assigning the MITRE Technique ID, based on the previously mentioned file, there are several possibilities under the technique Boot or Logon Autostart Execution:

• T1547.001 Registry Run Keys / Startup Folder
• T1547.009 Shortcut Modification

Based on the file type, the answer for this Sherlock task corresponds to the second option.

Answer: T1547.009

Task 10

Question: When was the decoy document opened by the end user, thinking it to be a legitimate document?

This question can also be answered with a simple query of the extracted $J dataset for the file in question, there is another timestamp marked with ObjectIdChange.

Answer: 2025-09-02 08:15:05