sdclt.exe

  • File Path: C:\Windows\system32\sdclt.exe
  • Description: Microsoft Windows Backup

Hashes

Type Hash
MD5 E09D48F225E7ABCAB14EBD3B8A9668EC
SHA1 1C5B9322B51C09A407D182DF481609F7CB8C425D
SHA256 EFD238EA79B93D07852D39052F1411618C36E7597E8AF0966C4A3223F0021DC3
SHA384 9B50676CAB56A4225F62A4490960CE39A0EE87D612A297F9E04F85B6558E6CCBD62D87F64758F3AD50E5790C1EBA7AA1
SHA512 384D606B90C4803E5144B4DE24EDC537CB22DD59336A18A58D229500ED36AEC92C8467CAE6D3F326647BD044D8074931DA553C7809727FB70227E99C257DF0B4
SSDEEP 24576:VK0ddqA6u5zrIlGjck1iPh9yptQHZ7RHegR:RHrmjk1iPaQ5dH9
IMP 1F4349F0C287A904C0483B5CD434DF28
PESHA1 FD235C37B554BFF1E0BAC1C85E5E2758B4C6370A
PE256 D8CB97E4036DF66FC36B8720F2B0C381510B3D63D5D3FF31356B97B65C33EBCC

Runtime Data

Child Processes:

RdpSa.exe

Loaded Modules:

Path
C:\Windows\System32\advapi32.dll
C:\Windows\System32\combase.dll
C:\Windows\System32\CRYPT32.dll
C:\Windows\System32\GDI32.dll
C:\Windows\System32\gdi32full.dll
C:\Windows\System32\KERNEL32.DLL
C:\Windows\System32\KERNELBASE.dll
C:\Windows\System32\msvcp_win.dll
C:\Windows\System32\msvcrt.dll
C:\Windows\SYSTEM32\ntdll.dll
C:\Windows\System32\OLEAUT32.dll
C:\Windows\system32\ReAgent.dll
C:\Windows\System32\RPCRT4.dll
C:\Windows\system32\sdclt.exe
C:\Windows\System32\sechost.dll
C:\Windows\system32\SPP.dll
C:\Windows\System32\ucrtbase.dll
C:\Windows\System32\USER32.dll
C:\Windows\system32\VSSAPI.DLL
C:\Windows\system32\wer.dll
C:\Windows\System32\win32u.dll

Signature

  • Status: Signature verified.
  • Serial: 33000002EC6579AD1E670890130000000002EC
  • Thumbprint: F7C2F2C96A328C13CDA8CDB57B715BDEA2CBD1D9
  • Issuer: CN=Microsoft Windows Production PCA 2011, O=Microsoft Corporation, L=Redmond, S=Washington, C=US
  • Subject: CN=Microsoft Windows, O=Microsoft Corporation, L=Redmond, S=Washington, C=US

File Metadata

  • Original Filename: sdclt.exe.mui
  • Product Name: Microsoft Windows Operating System
  • Company Name: Microsoft Corporation
  • File Version: 10.0.19041.1 (WinBuild.160101.0800)
  • Product Version: 10.0.19041.1
  • Language: English (United States)
  • Legal Copyright: Microsoft Corporation. All rights reserved.
  • Machine Type: 64-bit

File Scan

  • VirusTotal Detections: 0/73
  • VirusTotal Link: https://www.virustotal.com/gui/file/efd238ea79b93d07852d39052f1411618c36e7597e8af0966c4a3223f0021dc3/detection

File Similarity (ssdeep match)

File Score
C:\Windows\system32\sdclt.exe 54
C:\Windows\system32\sdclt.exe 47
C:\Windows\system32\sdclt.exe 50
C:\Windows\system32\sdclt.exe 47
C:\WINDOWS\system32\sdclt.exe 47

Possible Misuse

The following table contains possible examples of sdclt.exe being misused. While sdclt.exe is not inherently malicious, its legitimate functionality can be abused for malicious purposes.

Source Source File Example License
sigma proc_creation_win_high_integrity_sdclt.yml title: High Integrity Sdclt Process DRL 1.0
sigma proc_creation_win_high_integrity_sdclt.yml description: A General detection for sdclt being spawned as an elevated process. This could be an indicator of sdclt being used for bypass UAC techniques. DRL 1.0
sigma proc_creation_win_high_integrity_sdclt.yml Image\|endswith: 'sdclt.exe' DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml title: Sdclt Child Processes DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml description: A General detection for sdclt spawning new processes. This could be an indicator of sdclt being used for bypass UAC techniques. DRL 1.0
sigma proc_creation_win_sdclt_child_process.yml ParentImage\|endswith: '\sdclt.exe' DRL 1.0
sigma registry_event_bypass_uac_using_delegateexecute.yml - https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1548.002/T1548.002.md#atomic-test-7---bypass-uac-using-sdclt-delegateexecute DRL 1.0
sigma registry_event_comhijack_sdclt.yml title: COM Hijack via Sdclt DRL 1.0
sigma registry_event_comhijack_sdclt.yml - http://blog.sevagas.com/?Yet-another-sdclt-UAC-bypass DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml title: UAC Bypass via Sdclt DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml description: Detects the pattern of UAC Bypass using registry key manipulation of sdclt.exe (e.g. UACMe 53) DRL 1.0
sigma registry_event_uac_bypass_sdclt.yml - https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/ DRL 1.0
malware-ioc misp_invisimole.json "https://enigma0x3.net/2017/03/17/fileless-uac-bypass-using-sdclt-exe/" © ESET 2014-2018
atomic-red-team index.md - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] MIT License. © 2018 Red Canary
atomic-red-team windows-index.md - Atomic Test #7: Bypass UAC using sdclt DelegateExecute [windows] MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md - Atomic Test #7 - Bypass UAC using sdclt DelegateExecute MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md ## Atomic Test #7 - Bypass UAC using sdclt DelegateExecute MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Upon successful execution, sdclt.exe will spawn cmd.exe to spawn notepad.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Reference - sevagas.com MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Start-Process -FilePath $env:windir\system32\sdclt.exe MIT License. © 2018 Red Canary
atomic-red-team T1548.002.md Target: \system32\sdclt.exe MIT License. © 2018 Red Canary

MIT License. Copyright (c) 2020-2021 Strontic.