Analysis
-
max time kernel
15s -
max time network
14s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
13-04-2021 17:46
Static task
static1
Behavioral task
behavioral1
Sample
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Resource
win10v20210408
General
-
Target
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
-
Size
54KB
-
MD5
0390938e8a9df14af45e264a128a5bf8
-
SHA1
f90f83c3dbcbe9b5437316a67a8abe6a101ef4c3
-
SHA256
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210
-
SHA512
c4b8d0d086a7f3c9aa83e2ad5baa36027cd8785878913b7dc0ad698066aaa0f298dec59cb6fb42cf76530c8be9b242bdacfb1253eb02a6ad84a872df4c586e98
Malware Config
Extracted
C:\\README.949640ab.TXT
https://ibb.co/VVs2pWQ
https://ibb.co/6mTC5z5
https://ibb.co/fkrPPvX
https://ibb.co/rHpTh5S
https://ibb.co/4KV5bZY
https://ibb.co/njzryN8
https://ibb.co/qRS30cL
https://ibb.co/1bwGGHH
https://ibb.co/dKbwVVY
https://ibb.co/8Nj4QQs
https://ibb.co/Csfhmq0
https://ibb.co/tbN2pXn
https://ibb.co/6ghqgbN
https://ibb.co/TgHvsjc
https://ibb.co/rQjXnyp
http://dark24zz36xm4y2phwe7yvnkkkkhxionhfrwp67awpb3r3bdcneivoqd.onion/2E84SN8WJ11IAIH947RGEYOYSO4S8DE3I3J16I5AXKUV2X4FZZN93AZ3D87T2E2O
Signatures
-
Modifies extensions of user files 23 IoCs
Ransomware generally changes the extension on encrypted files.
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process File opened for modification C:\Users\Admin\Pictures\PublishWrite.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\RepairStep.crw => C:\Users\Admin\Pictures\RepairStep.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\SendRedo.tiff => C:\Users\Admin\Pictures\SendRedo.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\SetSearch.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\StepPush.tiff => C:\Users\Admin\Pictures\StepPush.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\DismountDebug.raw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\HideEdit.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\PublishWrite.tif => C:\Users\Admin\Pictures\PublishWrite.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\UnpublishUnregister.tiff => C:\Users\Admin\Pictures\UnpublishUnregister.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\UnpublishUnregister.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\UnpublishUnregister.tiff a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\RepairStep.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\SearchInitialize.crw => C:\Users\Admin\Pictures\SearchInitialize.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\SearchInitialize.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\SendRedo.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\StepPush.tiff a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\StepPush.tiff.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\UnblockWrite.crw => C:\Users\Admin\Pictures\UnblockWrite.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\DismountDebug.raw => C:\Users\Admin\Pictures\DismountDebug.raw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\HideEdit.tif => C:\Users\Admin\Pictures\HideEdit.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\SendRedo.tiff a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File renamed C:\Users\Admin\Pictures\SetSearch.tif => C:\Users\Admin\Pictures\SetSearch.tif.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe File opened for modification C:\Users\Admin\Pictures\UnblockWrite.crw.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Drops file in System32 directory 1 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\949640ab.BMP" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies Control Panel 2 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Control Panel\Desktop\WallpaperStyle = "10" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies data under HKEY_USERS 26 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionReason = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionTime = 80870d6a8c30d701 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Control Panel\International a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a07001b000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecision = "0" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\949640ab.BMP" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32} a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecisionTime = 80870d6a8c30d701 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\32-e2-17-db-d2-77 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\32-e2-17-db-d2-77\WpadDecisionReason = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadDecision = "0" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{2A905F01-0A57-4E51-8685-54144DDC3A32}\WpadNetworkName = "Network" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Modifies registry class 5 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\949640ab\DefaultIcon\ = "C:\\ProgramData\\949640ab.ico" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.949640ab\ = "949640ab" a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exepid process 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
vssvc.exedescription pid process Token: SeBackupPrivilege 2044 vssvc.exe Token: SeRestorePrivilege 2044 vssvc.exe Token: SeAuditPrivilege 2044 vssvc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exea11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exedescription pid process target process PID 1432 wrote to memory of 1760 1432 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1432 wrote to memory of 1760 1432 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1432 wrote to memory of 1760 1432 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1432 wrote to memory of 1760 1432 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1760 wrote to memory of 1464 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1760 wrote to memory of 1464 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1760 wrote to memory of 1464 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe PID 1760 wrote to memory of 1464 1760 a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"1⤵
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"1⤵
- Drops file in System32 directory
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exeC:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe -work worker0 job0-17602⤵
- Modifies extensions of user files
-
C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"C:\Users\Admin\AppData\Local\Temp\a11cc5051e3a88428db495f6d8e4b6381a1cb3fa5946a525ef5c00bfcb44e210.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken