DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.
|Enterprise||T1543||.003||Create or Modify System Process: Windows Service||
DCSrv has created new services for persistence by modifying the Registry.
|Enterprise||T1486||Data Encrypted for Impact||
DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.
|Enterprise||T1036||.004||Masquerading: Masquerade Task or Service||
DCSrv has masqueraded its service as a legitimate svchost.exe process.
DCSrv has used various Windows API functions, including
|Enterprise||T1027||Obfuscated Files or Information|
DCSrv has a function to sleep for two hours before rebooting the system.
|Enterprise||T1124||System Time Discovery||
DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.