Found the sample: It is a worm called Safesys. The worm can operate at ring0 and writes to the disk directly by communicating with the atapi.sys driver. In the test Shadow Defender 1.2.0.346 and sandboxie 3.x managed to stop the worm from persisting. However, similar softwares, Comodo time machine 2.8 and Deep freeze 7 failed to stop it from persisting on the system. Sandboxie stopped the attack because it prevented the malware driver from loading in the first place. Not sure about the internal workings of SD, but I would expect the same.