The port 137 is a UDP port used by NetBios. Do your honeypots run WINS? Yes, it has scanning or query mechanisms. You can grab more details from https://technet.microsoft.com/en-us/library/cc958811.aspx and https://www.techrepublic.com/article/how-netbios-name-resolution-really-works/

@Epoxy: thanks for the articles, I read the standard too. Where do you see that there is scanning? I see broadcast (which is discarded in my case anyway, as it is not a directed connection) but not active research via a scan. – WoJ – 2018-03-21T10:51:15.200

You're quite welcome! Well, this port 137's sole purpose is to aid the name registration and to find names during NBT. This is not actually a session mode. This is simply a way to find names (find name). The port 137 can be utilized by TCP or UDP. In this case, the "nbname" is used for the Name Service, name broadcasts for building browsing lists. 3 ports will be used in this case (NBT) and other ports 138, 139 have other responsibilities. NBT also depends on the DNS. SMB also depends on NetBIOS unless direct hosted. In your case, to determine what type of a query it receives, use Wireshark. – Epoxy – 2018-03-21T11:57:40.667

@Epoxy: this still does not explain why there was an intentional connection to my device (which is just an IP, without any functions and not advertised anywhere) – WoJ – 2018-03-25T20:25:04.287

I think we will be able to find this out using a network packet analyzer. In this case, I still have doubts. :) – Epoxy – 2018-03-28T12:43:46.937