RomCom

#veryEasy #dfir

unzip RomCom.zip 
Archive:  RomCom.zip
[RomCom.zip] 2025-09-02T083211_pathology_department_incidentalert.vhdx password: 
  inflating: 2025-09-02T083211_pathology_department_incidentalert.vhdx

ls
2025-09-02T083211_pathology_department_incidentalert.vhdx

file 2025-09-02T083211_pathology_department_incidentalert.vhdx 
2025-09-02T083211_pathology_department_incidentalert.vhdx: Microsoft Disk Image eXtended, by .NET DiscUtils, sequence 0x4, NO Log Signature Microsoft Disk Image Extended; region, 2 entries, id Metadata, at 0x200000, Required 1, id BAT, at 0x300000, Required 1

sudo pacman -S qemu-base
sudo modprobe nbd max_part=8
sudo qemu-nbd --connect=/dev/nbd0 2025-09-02T083211_pathology_department_incidentalert.vhdx

sudo fdisk -l /dev/nbd0
Disk /dev/nbd0: 507 MiB, 531628032 bytes, 1038336 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 131072 bytes
Disklabel type: dos
Disk identifier: 0x72c7ae7e

Device      Boot Start     End Sectors   Size Id Type
/dev/nbd0p1 *       63 1038239 1038177 506.9M  7 HPFS/NTFS/exFAT

sudo mkdir -p /mnt/romcom
sudo pacman -S ntfs-3g
sudo mount -o ro /dev/nbd0p1 /mnt/romcom

Google: WinRAR vulnerability exploited by the RomCom

https://nvd.nist.gov/vuln/detail/CVE-2025-8088

MFTECmd

PreviousSherlocks NextOverTheWire

Last updated 1 month ago