I mean, just run it in an emulator or virtual machine, and wait until the payload is executed...
If you can't figure out when the payload is executed, modify the emulator to track which memory locations contain data that depends on the encrypted data (similar to how Valgrind propagates validity bits), and then stop the first time a jump is done to one of them.
If the problem is that they can't trigger execution of the payload because it uses a key computed from data only present on unknown target systems, then decryption is simply impossible if the malware is properly written (because they would need to reverse a strong cypher).
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds