Ransomware .3v3ris IEncrypt
On Monday, November 4, 2019, several Spanish companies suffering a security incident, including Everis. Beyond the event, a small analysis of the different reports and comments on the impact they suffered from this type of ramsonware IEncrypt.
1. Indicators of compromise
The threat phases are:
1. An everis user access to a compromised website where the source code was modified to show a fake browser update and download a file.
2. The file is a JavaScript code (JS) which infects the device with a C2C malware categorized as “EMOTET”. This JavaScript creates additional exe files.
3. Once the attackers controls the infected device, install a PowerShell post explotation framework called Empire1. With Empire Framework in the infected device, the attacker enumerates the network and get credentials form the infected device cache. With this, different Empire installations is seen in different hosts and servers.
4. Attackers distribute a ransomware family called “BitPaymer/IEncrypt” to everis devices through compromised hosts and servers
1.1.1 Compromised website
A compromised website with a modification of the source code to simulate a fake browser update.
URL: hxxps://esancendoc[.]esan[.]edu[.]pe/ — Compromised website
1.1.2 Malicious file
Compromised website downloads a JS file “Chrome.Update.3f61f4.js”. JS script is a Dropper which downloads “crhome.update.3f61f4.exe” categorized as EMOTET. An additional exe “d0409052256c6efc85b155f58cc03f70.exe” file is created and executed.

Indicators of Compromise
Chrome.Update.3f61f4.js
MD5: a9db3444e9c50da5ce6845ccc116255c
MD5: c1a5725f45e6a35bd82852210e29f941
URL to download the malware
URL: hxxps://click[.]clickanalytics208[.]com/s_code[.]js?cid=240&v=73a55f6de3dee2a751c3
EMOTET — crhome.update.3f61f4.exe
SHA256: 628c181e6b9797d8356e43066ae182a45e6c37dbee28d9093df8f0825c342d4c
IP: 195.123.213.19
Port: 443
EMOTET — d0409052256c6efc85b155f58cc03f70.exe
SHA256: 1d778359ab155cb190b9f2a7086c3bcb4082aa195ff8f754dae2d665fd20aa05
1.1.3 Lateral movement
Lateral movement is performed by the attacker through the PowerShell post-explotation framework called Empire. Lateral movement was performed through sysinternals tool “psexesvc.exe”.
Indicators of Compromise
Empire Framework
IP: 185.92.74.215
Port: 443
1.1.4 Infection
Malware is distributed from compromised assets to affected endpoints.
Indicators of Compromise

BitPaymer/IEncrypt
SHA256: bd327754f879ff15b48fc86c741c4f546b9bbae5c1a5ac4c095df05df696ec4f — evrs.exe

Additional Data
http://109[.]176.117.11/362611986ed4/page
http://109[.]176.117.11:8000/
http://109[.]176.117.11:8080/362611986ed4/page
http://5[.]100.251.106:52057
http://5[.]100.251.106:443/64.exe
5[.]100.251.106
109[.]176.117.11
Email to response
sydney.wiley[@]protonmail.com
evangelina.mathews[@]tutanota.com
