.. /.Ocx

Executable

Contributors:

Bhabesh Raj - @bh4b3sh, mbmy

Description:

OCX or OLE Control Extension are ActiveX controls that Microsoft developed to enable applications to perform specific functions by calling ready-made components. Unlike EXE files, they cannot be directly double clicked and must be must be registered first (example via RegSvr32). They operate very similar to .dll files in many cases. This file extension can used to evade AV defense rules looking for .dll files spawning from unusual processes.

OS:

Windows

Recommendation:

Look for parent/child process relationships where Regsvr32 is executed with parent process of Microsoft Word or Microsoft Excel. Attackers are commonly dropping these files via macro-enabled office documents.

Resources:

https://www.uptycs.com/blog/attackers-increasingly-adopting-regsvr32-utility-execution-via-office-documents

File Samples: