GREM Exam Questions
192 real GREM exam questions with expert-verified answers and explanations. Page 3 of 4.
- Question #101
Which instructions or constructs are essential to understand when analyzing malware for anti- analysis techniques? (Choose Two)
- Question #102
Which of the following techniques can be used to defeat code obfuscation in malware?
- Question #103
In the context of malware analysis, what is the purpose of unpacking an executable?
- Question #104
Which techniques are commonly used for unpacking malware? (Choose two)
- Question #105
Which malware technique involves injecting code into a legitimate process to execute malicious activities?
- Question #106
What is a common sign that a PDF might be malicious?
- Question #107
Which tool or technique is most effective for identifying whether a Windows executable is packed?
- Question #108
Why is it important to analyze unpacked versions of malware?
- Question #109
Which registers are commonly used to pass function arguments in x86 assembly language? (Choose two)
- Question #110
Which of the following flow control structures is often used by malware to loop through a list of tasks or commands?
- Question #111
What is the primary goal of obfuscating malware code?
- Question #112
Which method can be used by malware to persist in Office documents through macros?
- Question #113
What is the primary purpose of using a disassembler in reverse engineering malware?
- Question #114
Which tool is typically used to debug packed Windows executables?
- Question #115
Which of the following tools or methods can be effectively used to analyze malicious RTF files? (Choose Two)
- Question #116
You are analyzing a malware sample that is packed and evades static analysis. During execution, the malware unpacks itself into memory. How would you proceed with the analysis? (Ch...
- Question #117
You are analyzing an obfuscated malware sample that has been packed using a custom packer. The malware also uses XOR encoding to obfuscate key strings, making static analysis diffi...
- Question #118
What aspect of a file is NOT typically considered during static analysis?
- Question #119
Why would a .NET malware analyst focus on the app.config or web.config files?
- Question #120
During static analysis of a suspicious executable, you notice it imports only LoadLibraryA and GetProcAddress. What is the MOST likely reason?
- Question #121
You execute the sample in a VM and observe it creates a new process using CreateProcess, then immediately suspends it and modifies its memory. What technique is this?
- Question #122
A malware sample checks the registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProductId What is the MOST likely purpose?
- Question #123
A malware dynamically allocates RWX memory and copies code into it. What is the BEST indication for next analysis step?
- Question #124
During network analysis, you observe HTTPS traffic with fixed-size periodic requests. Which behavior is MOST likely?
- Question #125
Which outcome indicates successful deobfuscation of malicious JavaScript?
- Question #126
Which of the following dynamic analysis tools is used to trace and debug malware execution?
- Question #127
What is the purpose of analyzing embedded scripts in a PDF file?
- Question #128
Why is it important to analyze the control words within an RTF document when investigating for malicious content?
- Question #129
Which of the following is a potential indicator that an Office macro is attempting to download additional payloads?
- Question #130
What would an analyst be looking for when examining the import address table (IAT) of a Windows PE file during malware analysis?
- Question #131
What features should a malware analysis lab have to ensure effective analysis? (Choose Three)
- Question #132
What is the primary goal of behavioral malware analysis?
- Question #133
Which of the following JavaScript features can be abused to obfuscate code?
- Question #134
What is the first step in behavioral analysis when dealing with a new malware sample?
- Question #135
Which technique can be used by malware to evade dynamic analysis tools?
- Question #136
In analyzing an RTF file, what is the significance of encountering large blocks of obfuscated or encoded data?
- Question #137
Which techniques are used by malware to misdirect analysts and evade reverse engineering? (Choose two)
- Question #138
What file structure is analyzed in the static analysis of a Windows executable?
- Question #139
Which of the following is the MOST reliable indicator that the payload is unpacked?
- Question #140
A PE file's .rsrc section contains an embedded executable. What is the MOST common malware characteristic?
- Question #141
When analyzing a ransomware sample you find code referencing CryptDeriveKey. What does this indicate?
- Question #142
Which condition MOST strongly confirms reflective DLL loading?
- Question #143
IsDebuggerPresent() returns false but debugging artifacts are detected. What is the malware likely doing?
- Question #144
A sample repeatedly checks CPU vendor strings. Which goal is MOST likely?
- Question #145
Which of the following are common flow control instructions used in malware? (Choose two)
- Question #146
Which of the following is a common obfuscation technique used in .NET malware?
- Question #147
Which API calls are commonly used by malware to manipulate processes and inject code? (Choose two)
- Question #148
In reverse engineering .NET malware, what does dynamic analysis allow you to observe?
- Question #149
Which assembly instruction is commonly used to alter the flow of execution in malware?
- Question #150
Which of the following indicators suggest the presence of .NET malware in a system? (Choose two)