S1032 PyDCrypt
PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.1
| Item | Value |
|---|---|
| ID | S1032 |
| Associated Names | |
| Type | MALWARE |
| Version | 1.0 |
| Created | 11 August 2022 |
| Last Modified | 24 October 2022 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | PyDCrypt has attempted to execute with PowerShell.1 |
| enterprise | T1059.003 | Windows Command Shell | PyDCrypt has used cmd.exe for execution.1 |
| enterprise | T1059.006 | Python | PyDCrypt, along with its functions, is written in Python.1 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | PyDCrypt has decrypted and dropped the DCSrv payload to disk.1 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.004 | Disable or Modify System Firewall | PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using netsh.exe on remote machines.1 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | PyDCrypt will remove all created artifacts such as dropped executables.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | PyDCrypt has dropped DCSrv under the svchost.exe name to disk.1 |
| enterprise | T1027 | Obfuscated Files or Information | PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the –key flag during the build phase.1 |
| enterprise | T1049 | System Network Connections Discovery | PyDCrypt has used netsh to find RPC connections on remote machines.1 |
| enterprise | T1033 | System Owner/User Discovery | PyDCrypt has probed victim machines with whoami and has collected the username from the machine.1 |
| enterprise | T1047 | Windows Management Instrumentation | PyDCrypt has attempted to execute with WMIC.1 |
Groups That Use This Software
| ID | Name | References |
|---|---|---|
| G1009 | Moses Staff | 1 |