sdclt.exe

  • File Path: C:\WINDOWS\system32\sdclt.exe
  • Description: Microsoft Windows Backup

Hashes

Type Hash
MD5 A5E106A01B7A075E80C41DCDBB50951F
SHA1 C90FDA080E86F4D7472D0D20AC848E71D664DE68
SHA256 2496646830672FD5C1379D8108612AEF22284EACAE4D93B586C6EB6F96F29E91
SHA384 D8A2A9680851446632CE3522604F9A01EC7530F82B94976B9DBB66A7BB497140C196E8E1324DC127DD0B02E6077EBC24
SHA512 7FB152DBC7B6ECBD6825DDA31F3D765D037A55B6372E19152FD862E22763CF34C183724F280D609691C368A534E04A34C3E5300CE9E2BFDDA427B2933A6ED836
SSDEEP 24576:flqvb98gRzq1VM9k3OPjJNj6tXsEsivqSPwgwGPfVADycN/s/cAMPSNDUxh9yDTi:EvegRzq1VM9k3OPjJNjq8EsiqSPwgwG+
IMP FF5971B8CA7F60994822E545275A6C4E
PESHA1 24004E3853BCED9B2F821EAC9BD005ED5A6E1ABD
PE256 72CEA3353C0BC8AB89FF7B0026FCA4D7E5E49DCA67FD5DAFAD3BB9B1C9DA05B3

Runtime Data

Loaded Modules:

Path
C:\WINDOWS\System32\GDI32.dll
C:\WINDOWS\System32\KERNEL32.DLL
C:\WINDOWS\System32\KERNELBASE.dll
C:\WINDOWS\SYSTEM32\ntdll.dll
C:\WINDOWS\system32\sdclt.exe

Signature

  • Status: Signature verified.
  • Serial: 33000002ED2C45E4C145CF48440000000002ED
  • Thumbprint: 312860D2047EB81F8F58C29FF19ECDB4C634CF6A
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdclt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.22000.1 (WinBuild.160101.0800)
  • Product Version: 10.0.22000.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/71
  • VirusTotal Link: https://www.virustotal.com/gui/file/2496646830672fd5c1379d8108612aef22284eacae4d93b586c6eb6f96f29e91/detection

Possible Misuse

The following table contains possible examples of sdclt.exe being misused. While sdclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_high_integrity_sdclt.yml title: High Integrity Sdclt Process DRL 1.0
sigma proc_creation_win_high_integrity_sdclt.yml description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. DRL 1.0
sigma proc_creation_win_high_integrity_sdclt.yml Image\|endswith: 'sdclt.exe' DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml title: Sdclt Child Processes DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml ParentImage\|endswith: '\sdclt.exe' DRL 1.0
sigma registry_event_bypass_uac_using_delegateexecute.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute DRL 1.0
sigma registry_event_comhijack_sdclt.yml title: COM Hijack via Sdclt DRL 1.0
sigma registry_event_comhijack_sdclt.yml - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml title: UAC Bypass via Sdclt DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ DRL 1.0
malware-ioc misp_invisimole.json "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" © ESET 2014-2018
atomic-red-team index.md - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #7 - Bypass UAC using sdclt DelegateExecute MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Reference - sevagas.com MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process -FilePath $env:windir\system32\sdclt.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\sdclt.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.