The malware contains the resource sections
X86. Each of the resources
contains an embedded PE file.
Lab21-02.exe is compiled for a 32-bit system. This is shown in the PE
Characteristics field, where the
IMAGE_FILE_32BIT_MACHINE flag is set.
The malware attempts to resolve and call
determine if it is running on an x64 system.
On an x86 machine, the malware drops the
X86 resource to
disk and injects it into explorer.exe. On an x64 machine, the malware drops two
files from the
resource sections to disk and launches the executable as a 64-bit process.
On an x86 system, the malware drops Lab21-02.dll into the Windows system directory, which will typically be C:\Windows\System32\ ...