GREM Exam Questions

What is the purpose of employing anti-disassembly techniques in malware?

In the context of reversing malware, what is the role of static analysis?

Process hollowing is a technique used by malware. What is the final step in this process?

What is a key indicator that an RTF file contains embedded malicious content?

What does it imply if a .NET malware sample contains calls to the System.Reflection.Assembly.Load method?

In the context of overcoming misdirection techniques, why is single-stepping through code important?

In the context of malware analysis, what is the significance of detecting packed or encrypted sections within a binary?

Which tool can be used to extract shellcode from a malicious RTF file for further analysis?

Which Windows event is MOST useful for mapping malware persistence?

Which dynamic observation MOST reliably confirms keylogging behavior?

During memory analysis you detect an injected PE image missing the MZ header. What technique is MOST likely?

A sample uses heavy obfuscation and multiple layers of unpacking. Which approach is MOST effective?

A malware modifies the Import Address Table of a process at runtime. Which technique is being used?

What can the analysis of import tables in an executable reveal about suspected malware?

What is the main purpose of using the SetWindowsHookEx function in malware?

Which of the following best describes the process of unpacking malware?

In malware analysis, what is the purpose of comparing the hash of a suspicious file to known malware databases?

Which of the following indicators should raise suspicion when analyzing the contents of an RTF file? (Choose Two)

How can an analyst use the entropy value of a file during malware analysis?

What aspect of an embedded object within an RTF file is crucial to analyze for determining potential malicious intent?

Why is it important to identify and understand conditional branches when analyzing assembly code?

How can malware attempt to detect and respond to being run in a virtual machine? (Choose Three)

Which of the following instructions is used to transfer control back to the calling function?

Which are common methods for analyzing malicious software? (Choose Two)

Which Windows API most strongly indicates credential harvesting?

A sample performs periodic DNS queries with base64 encoded payloads. What is this behavior?

Which tool is BEST suited for analyzing stack traces during a debugger session?

You see a PE section with very high entropy and no readable strings. What is the MOST likely condition?

You are analyzing a suspicious PDF document that was flagged by antivirus software. Initial inspection shows that the PDF contains a JavaScript action triggering upon document open...

What is a common technique used by malware to detect the presence of a debugger?

When analyzing an RTF file, which of the following strings would likely indicate the presence of an embedded object or shellcode?

What is a potential sign of malicious activity within a PDF file?

When analyzing a function in assembly language, how can you identify the function's parameters?

You are analyzing a malware sample and notice it uses multiple JMP instructions that lead to dead code segments, making it difficult to follow the actual execution flow. What steps...

What is the significance of identifying obfuscated code within a macro?

You are performing behavioral analysis on a malware sample that makes unusual DNS queries and writes data to a specific registry key. Which actions should you take to further inves...

Which of the following is a fundamental step in malware analysis before executing a sample?

You are performing malware analysis on a suspicious executable. The sample creates multiple new processes, modifies the registry, and connects to external IP addresses during execu...

When analyzing a macro within a Microsoft Office file, which of the following indicators would likely suggest malicious intent?

Which of the following components are essential for a well-equipped malware analysis lab? (Choose Two)

Which of the following methods can be used to analyze a suspicious PDF document? (Choose Two)

In the x86 calling convention, where is the return address of a function typically stored?