Hi, sorry to be paranoid, but could you please explain why sandbox report shows IP traffic to 4 IPs that are connected to ransomware:

20.99.132.105:443 (TCP)
20.99.133.109:443 (TCP)
20.99.184.37:443 (TCP)
23.216.147.64:443 (TCP)

Behavior sandbox - <b>You have to register to ba able to see this link</b> 2a14c70aa0b9f2/behavior
4 Ransomware IPs - <b>You have to register to ba able to see this link</b>

Hello. Those IP address aren't malicious. Those IP belongs to Akamai and they are used by Microsoft to manage traffic to their servers.

Sources:
<b>You have to register to ba able to see this link</b>
<b>You have to register to ba able to see this link</b>


Most of the time sandboxes collects information per machine and not per application (or process) level. For example if another application, which isn't related to the scanned one, creates a network connection to a server then DNS/IP of the server will appear in the report too. They monitor at machine level to avoid missing information and they have a good reason to do that. To give you a simple example, at process level they would miss some information if a scanned application decided to inject all its malicious code into another application as they monitor only the scanned application.


Look at this legit Microsoft explorer.exe executable (<b>You have to register to ba able to see this link</b> b3eecb96175bb5/relations), you can find there 20.99.132.105, 20.99.184.37 and 23.216.147.64. Does it means that this executable is malicious? Answer: No.

PS: Socradar.io should validate their IOCs before posting them... all of them, except for that URL, couldn't be considered malicious or IOCs...