Skip to content

S1032 PyDCrypt

PyDCrypt is malware written in Python designed to deliver DCSrv. It has been used by Moses Staff since at least September 2021, with each sample tailored for its intended victim organization.1

Item Value
ID S1032
Associated Names
Version 1.0
Created 11 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell PyDCrypt has attempted to execute with PowerShell.1
enterprise T1059.003 Windows Command Shell PyDCrypt has used cmd.exe for execution.1
enterprise T1059.006 Python PyDCrypt, along with its functions, is written in Python.1
enterprise T1140 Deobfuscate/Decode Files or Information PyDCrypt has decrypted and dropped the DCSrv payload to disk.1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall PyDCrypt has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using netsh.exe on remote machines.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion PyDCrypt will remove all created artifacts such as dropped executables.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location PyDCrypt has dropped DCSrv under the svchost.exe name to disk.1
enterprise T1027 Obfuscated Files or Information PyDCrypt has been compiled and encrypted with PyInstaller, specifically using the –key flag during the build phase.1
enterprise T1049 System Network Connections Discovery PyDCrypt has used netsh to find RPC connections on remote machines.1
enterprise T1033 System Owner/User Discovery PyDCrypt has probed victim machines with whoami and has collected the username from the machine.1
enterprise T1047 Windows Management Instrumentation PyDCrypt has attempted to execute with WMIC.1

Groups That Use This Software

ID Name References
G1009 Moses Staff 1