The malware contains the resource sections X64, X64DLL, and X86. Each of the resources contains an embedded PE file.

Lab21-02.exe is compiled for a 32-bit system. This is shown in the PE header’s Characteristics field, where the IMAGE_FILE_32BIT_MACHINE flag is set.

The malware attempts to resolve and call IsWow64Process to determine if it is running on an x64 system.

On an x86 machine, the malware drops the X86 resource to disk and injects it into explorer.exe. On an x64 machine, the malware drops two files from the X64 and X64DLL resource sections to disk and launches the executable as a 64-bit process.

On an x86 system, the malware drops Lab21-02.dll into the Windows system directory, which will typically be C:\Windows\System32\ ...